US7464162B2 - Systems and methods for testing whether access to a resource is authorized based on access information - Google Patents

Abstract

The Access Tester allows an administrator, or any other authorized user, to determine who or what entities have access to a resource, whether a particular individual or set of individuals have access to a resource under certain conditions and whether the authorization rules associated with a resource operate as intended. In one embodiment, an administrator uses a graphical user interface to enter access information. Exemplar access information includes one or more URLs identifying the resource(s), one or more request methods, one or more IP addresses, date and time restrictions, and an identification of one or more users. The Access Tester determines whether the identified users are authorized to access the resource(s) associated with the URL(s) using the request methods, during the date and time provided.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No. 60/216,955, Web Access Management, filed Jul. 10, 2000, incorporated herein by reference.

This Application is related to the following Applications:

Cache Flushing, by Joshi, et al., Ser. No. 09/792,911, filed the same day as the present application;

Post Data Processing, by Knouse, et al., Ser. No. 09/793,196, filed the same day as the present application;

User Authentication, by Martherus, et al., Ser. No. 09/793,658, filed the same day as the present application;

Localized Access, by Ramamurthy, et al., Ser. No. 09/793,354, filed the same day as the present application;

Query String Processing, by Crosbie, et al., Ser. No. 09/793,355, filed the same day as the present application;

Logging Access System Events, by Joshi, et al., Ser. No. 09/792,915, filed the same day as the present application;

Providing Data To Applications from an Access System, by Joshi, et al., Ser. No. 09/792,934, filed the same day as the present application; and

Intrusion Threat Detection, by Jeffrey D. Hodges, Ser. No. 09/793,320, filed the same day as the present application.

Each of these related Applications are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention is directed to technology for protecting resources available on network.

2. Description of the Related Art

As the impact of the Internet continues to alter the economic landscape, companies are experiencing a fundamental shift in how they do business. Business processes involve complex interactions between companies and their customers, suppliers, partners and employees. For example, businesses interact constantly with their customers—often other businesses—to provide information on product specification and availability. Businesses also interact with vendors and suppliers in placing orders and obtaining payments. Businesses must also make a wide array of information and services available to their employee populations, generating further interactions.

To meet new challenges and leverage opportunities, while reducing their overall cost-of-interactions, many organizations are migrating to network-based business processes and models. Among the most important of these is Internet-based E-business.

To effectively migrate their complex interactions to an Internet-based E-business environment, organizations must contend with a wide array of challenges and issues. For example, businesses need to securely provide access to business applications and content to users they deem authorized. This implies that businesses need to be confident that unauthorized use is prevented. Often, this involves the nontrivial, ongoing task of attempting to tie together disparate, system-specific authentication and/or authorization schemes.

E-business is also challenged with cohesively managing disparate end user, application, content, policy and administrative information. Historically, user and authorization information have been stored in application-specific formats and often on a per-application basis. It is labor intensive to maintain consistency across the disparate repositories and, thus, the cost for user and policy administration increase as more application and content are added. Such an aggregated system is difficult to replicate and scale. This can lead to operational errors, poor user experiences, and loss of confidence in the E-business by all those concerned.

Another challenge facing E-business is how to scale the E-business over time. A successful E-business network, its applications, and content must be able to seamlessly scale from a modest flood of requests to a torrent. At the same time, it must be able to scale administratively. Increases in traffic, users, and content require additional administrative effort. To avoid bottlenecks, scaling must be accomplished in a decentralized, delegated fashion. This includes incorporating associated portals seamlessly into the E-business network. Because E-businesses often accumulate various disparate systems, they need to offer a seamless experience to users and not unduly burden administrators.

To meet these challenges, an E-business host company needs a web access management solution that delivers the ability to effectively secure and manage all the various network-based interactions. A system should accommodate all participants involved with the E-business, whether they are local or remote. It must also be able to distinguish between the E-business' employees and all the users who are affiliated with the E-business host's customers, suppliers and/or partners.

In the past, various entities have offered identity management systems which store and manage identity information for users such as company employees, suppliers, etc. Additionally, access management systems have been available. These access management systems provide means for authenticating users and authorizing users. However, the previous access management systems do not include, or are not capable of communicating with, a robust identity system. Those that could communicate with an identity system did not take full advantage of the information stored and managed by the identity system.

Furthermore, previous access management systems have not fully provided for the increase in volume of users and content. In today's business climate, the quantity of content protected, the volume of traffic and the number of users accessing the system is enormous. It is up to one or more administrators to provide access rules for the various content. These access rules determine who can access what content. As the amount of content and the number of users increase dramatically, managing these rules becomes difficult. Because the rules are typically generated by humans, it is easy for mistakes to occur. As the system grows, these mistakes multiply. Thus, there is a need for a means to verify control policies created for various content protected by an access management system before the policies are enforced.

SUMMARY OF THE INVENTION

The present invention, roughly described, provides for a system that allows for the assessment of coverage of access control criteria in an access management system by determining access results without granting access to the resource. The present invention allows an administrator, or any other authorized user, to determine who or what entities have access to a resource, whether a particular individual or set of individuals have access to a resource under certain conditions and whether the authorization rules associated with a resource operate as intended. In one embodiment, an administrator uses a graphical user interface to enter access information. One example of access information includes all or some of the following: one or more URLs identifying the resource(s), one or more request methods, one or more IP addresses, date and time restrictions, and an identification of one or more users.

The system of the present invention receives the access information and tests whether the identified one or more resource are authorized for use based on the access information. In one embodiment, this process includes determining whether the identified users are authorized to access the identified resources at the identified date and time, using the identified request methods. The results of the tests are reported to the administrator or other user.

In one embodiment, the process of testing whether a user is authorized to access a resource includes accessing an identity profile for that user and comparing the information in the identity profile to authorization criteria. One example of authorization criteria is an authorization rule. The present invention can use a default authorization rule associated with a set of resources that includes the resource being tested or an authorization rule specific to the particular resource being tested. In one implementation, the system uses the identity of the resource, the request method, data and time to locate an access control policy associated with the resource. The user's access is then determined based on the access control policy.

The present invention can be implemented using hardware, software, or a combination of both hardware and software. The software used for the present invention is stored on one or more processor readable storage devices including hard disk drives, CD-ROMs, optical disks, floppy disks, tape drives, RAM, ROM or other suitable storage devices. In alternative embodiments, some or all of the software can be replaced by dedicated hardware including custom integrated circuits, gate arrays, FPGAs, PLDs, and special purpose computers. Hardware that can be used for the present invention includes computers, handheld devices, telephones (e.g. cellular, Internet enabled, etc.), etc. Some of these devices includes processors, memory, nonvolatile storage, input devices and output devices.

These and other objects and advantages of the present invention will appear more clearly from the following description in which the preferred embodiment of the invention has been set forth in conjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram depicting the components of one embodiment of the present invention.

FIG. 2 is a block diagram depicting the components of the computing system that can be used with the present invention.

FIG. 3 is a block diagram depicting the components of a Directory Server.

FIG. 4 is an example of a directory tree structure.

FIG. 5 is a flow chart describing a process for setting up access rules for an Identity Management System.

FIG. 6 is a flow chart describing a process for editing an attribute access criteria.

FIG. 7 is a flow chart describing a process for configuring localized access.

FIG. 8 is a flow chart describing a process for controlling access to attributes in the Identity Management System.

FIG. 9 is a flow chart describing a process for determining access to attributes of a target.

FIG. 10 is a flow chart describing a process for determining whether there is a localized access violation for a class.

FIG. 11 is a flow chart describing a process for determining whether there is localized access for an attribute.

FIG. 12 is a flow chart describing a process for modifying an attribute.

FIG. 13 is a flow chart describing the active automation process.

FIG. 14 is a block diagram depicting the components of a Web Gate.

FIG. 15 is a block diagram depicting the components of an Access Server.

FIG. 16 is a flow chart describing a process for creating a policy domain.

FIG. 17 is a flow chart describing a process for adding an authorization rule.

FIG. 18 is a flow chart describing a process for adding header variables to an HTTP request.

FIG. 19 is a flow chart describing a process for adding an authentication rule.

FIG. 20 is a flow chart describing a process for configuring an audit rule.

FIG. 21 is a flow chart describing a process for creating a policy.

FIG. 22 is a flow chart describing an exemplar process performed by the Access System of one embodiment of the present invention.

FIG. 23 is a flow chart describing a process for determining whether a particular resource is protected.

FIG. 24 is a flow chart describing a process for mapping a resource with a policy domain.

FIG. 25 is a flow chart describing a process for retrieving first and second level authentication rules.

FIG. 26 is a flow chart describing a process for determining whether a resource URL matches a specific policy URL.

FIG. 26A is a flow chart describing a process for determining whether a resource matches a specific policy using POST data.

FIG. 27 provides a block diagram of a retainer data structure.

FIG. 28 is a flow chart describing authentication.

FIG. 29 is a block diagram depicting various components involved in the authentication process.

FIG. 30 is a flow chart describing a process for authentication.

FIG. 31 is a flow chart describing a process for retrieving an authentication challenge scheme from a Directory Server.

FIG. 32 is a flow chart describing a method for performing basic authentication.

FIG. 33 is a flow chart describing the process performed by an Access Server to authenticate using a user ID and password.

FIG. 34 is a flow chart describing form authentication.

FIG. 35 is a flow chart describing a process for client certificate authentication.

FIG. 36 is a flow chart describing a process for authenticating a user using certificates.

FIG. 37 is a block diagram depicting the components of one embodiment of an encrypted cookie.

FIG. 38 is a flowchart describing a process for authorization.

FIG. 39 is a flow chart describing the steps performed when passing authorization information using POST data.

FIG. 40 is a block diagram of an exemplar HTTP request.

FIG. 41 is a flow chart describing a process for obtaining first and second level authorization rules from a Directory Server.

FIG. 42 is a flow chart describing a process for evaluating an authorization rule.

FIG. 43 is a flow chart describing a process for applying an authorization rule to extracted POST data.

FIG. 44 is a flow chart describing a process for performing authentication success actions.

FIG. 45 is a flow chart describing a process for performing authentication and authorization failure actions.

FIG. 46 is a flow chart describing a process for performing authorization success actions.

FIG. 47 is a flow chart describing a process for using header variables.

FIG. 48 is a flow chart describing the steps performed by the auditing module of one embodiment of the present invention.

FIG. 49 is a flow chart describing a method for retrieving first and second level audit rules.

FIG. 50 is a block diagram depicting one embodiment of components used for intrusion detection.

FIG. 51 is a flow chart describing a process for detecting intrusions.

FIG. 52 is a flow chart describing a process performed at a security server as part of a process for detecting intrusions.

FIG. 53 is a flow chart describing a process for flushing/synchronizing caches performed by an Access Manager.

FIG. 54 is a block diagram depicting a synchronization record.

FIG. 55 is a flow chart describing a process for flushing/synchronizing caches performed by an Access Server.

FIG. 56 is a flow chart describing a process for flushing/synchronizing caches performed by a Web Gate.

FIG. 57 is a flow chart describing a process for testing access criteria.

DETAILED DESCRIPTION

FIG. 1 depicts an Access System which provides identity management and access management for a network. In general, an Access System manages access to resources available to a network. The identity management portion of the Access System (hereinafter “the Identity Management System”) manages end user identity profiles, while the access management portion of the Access System (hereinafter “the Access Management System”) provides security for resources across one or more web servers. Underlying these modules is active automation, a delegation and work flow technology. The active automation technology couples the Identity and Access Management Systems by facilitating delegation of roles and rights, plus providing workflow-enabled management of end user identity profiles. A key feature of one embodiment of this system is the centralization of the repositories for policies and user identity profiles while decentralizing their administration. That is, one embodiment of the system centralizes the policy and identity repositories by building them on a directory service technology. The system decentralizes their administration by hierarchly delegated Administrative roles. Although the Access System ofFIG. 1 includes an Identity Management System and an Access Management System, other Access Systems may only include an Identity Management System or only include an Access Management System.

FIG. 1 is a block diagram depicting one embodiment for deploying an Access System.FIG. 1 showsweb browsers12 and14 accessingWeb Server18 and/orAdministration Server20 viaInternet16. In one embodiment,web browsers12 and14 are standard web browsers known in the art running on any suitable type of computer.FIG. 1 depictsweb browsers12 and14 communicating withWeb Server24 andAdministration Server20 using HTTP over the Internet; however, other protocols and networks can also be used.

Web Server18 is a standard Web Server known in the art and provides an end user with access to various resources viaInternet16. In one embodiment, there is a first firewall (not shown) connected betweenInternet16 andWeb Server18, a second firewall (not shown) connected betweenWeb Server18 andAccess Server34.

FIG. 1 shows two types of resources:resource22 andresource24.Resource22 is external toWeb Server18 but can be accessed throughWeb Server18.Resource24 is located onWeb Server18. A resource can be anything that is possible to address with a uniform resource locator (URL see RFC 1738). A resource can include a web page, software application, file, database, directory, a data unit, etc. In one embodiment, a resource is anything accessible to a user on a network. The network could be the Internet, a LAN, a WAN, or any other type of network. Table 1, below, provides examples of resources and at least a portion of their respective URL syntax:

	Resource	URL Encoding
	Directory	/Sales/
	HTML Page	/Sales/Collateral/index.html
	CGI Script with no query	/cgi-bin/testscript.cgi
	CGI Script with query	/cgi_bin/testscript.cgi?button=on
	Application	/apps/myapp.exe

A URL includes two main components: a protocol identifier and a resource name separated from the protocol identifier by a colon and two forward slashes. The protocol identifier indicates the name of the protocol to be used to fetch the resource. Examples includes HTTTP, FTP, Gopher, File and News. The resource name is the complete address to the resource. The format of the resource name depends on the protocol. For HTTP, the resource name includes a host name, a file name, a port number (optional) and a reference (optional). The host name is the name of the machine on which the resource resides. The file name is the path name to the file on the machine. The port number is the number of the port to which to connect. A reference is a named anchor within a resource that usually identifies a specific location within a file. Consider the following URL: “http://www.oblix.com/oblix/sales/index.html.” The string “http” is the protocol identifier. The string “www.oblix.com” is the host name. The string “/oblix/sales/index.html” is the file name.

A complete path, or a cropped portion thereof, is called a URL prefix. In the URL above, the string “/oblix/sales/index.html” is a URL prefix and the string “/oblix” is also a URL prefix. The portion of the URL to the right of the host name and to the left of a query string (e.g. to the left of a question mark, if there is a query string) is called the absolute path. In the URL above, “/oblix/sales/index.html” is the absolute path. A URL can also include query data, which is typically information following a question mark. For example, in the URL:

• • http://www.oblix.com/oblix/sales/index.html?user=smith&dept=sales the query data is “user=smith&dept=sales.” Although the discussion herein refers to URLs to identify a resource, other identifiers can also be used within the spirit of the present invention.

FIG. 1shows Web Server18 includingWeb Gate28, which is a software module. In one embodiment,Web Gate28 is a plug-in toWeb Server18.Web Gate28 communicates withAccess Server34.Access Server34 communicates withDirectory Server36.

Administration Server20 is a web-enabled server. In one embodiment,Administration Server20 includesWeb Gate30. Other embodiments ofAdministration Server20 do not includeWeb Gate30.Administration Server20 also includes other software modules, includingUser Manager38,Access Manager40, andSystem Console42.Directory Server36 is in communication withUser Manager38,Access Manager40,System Console42, andAccess Server34.Access Manager40 is also in communication withAccess Server34.

The system ofFIG. 1 is scalable in that there can be many Web Servers (with Web Gates), many Access Servers, and multiple Administration Servers. In one embodiment,Directory Server36 is an LDAP Directory Server and communicates with other servers/modules using LDAP over SSL. In other embodiments,Directory Server36 can implement other protocols or can be other types of data repositories.

The Access Management System includesAccess Server34,Web Gate28, Web Gate30 (if enabled), andAccess Manager40.Access Server34 provides authentication, authorization, and auditing (logging) services. It further provides for identity profiles to be used across multiple domains and Web Servers from a single web-based authentication (sign-on).Web Gate28 acts as an interface betweenWeb Server18 andAccess Server34.Web Gate28 intercepts requests from users forresources22 and24, and authorizes them viaAccess Server34.Access Server34 is able to provide centralized authentication, authorization, and auditing services for resources hosted on or available toWeb Server18 and other Web Servers.

Access Manager40 allows administrators access to manage multiple resources across an enterprise and to delegate policy administration to the persons closest to specific business applications and content. In one embodiment, administrators perform these tasks using an intuitive graphical user interface (“GUI”).

User Manager38 provides a user interface for administrators to use, establish and/or manage identity profiles. An identity profile (also called a user profile or user identity profile) is a set of information associated with a particular user. The data elements of the identity profile are called attributes. In one embodiment, an attribute may include a name, value and access criteria. In one embodiment, an identity profile stores the following attributes: first name, middle name, last name, title, email address, telephone number, fax number, mobile telephone number, pager number, pager email address, identification of work facility, building number, floor number, mailing address, room number, mail stop, manager, direct reports, administrator, organization that the user works for, department number, department URL, skills, projects currently working on, past projects, home telephone, home address, birthday, previous employers and anything else desired to be stored by an administrator. Other information can also be stored. In other embodiments, less or more than the above-listed information is stored.

System Console42 provides a GUI for administrators to perform various tasks such as managing Administration roles, managing various system wide settings, and configuring the Identity and Access Management Systems.System Console42 can be used to manage groups (optional) and departing users, reclaim unused resources, manage logging, configure parameters for authentication, configure parameters for authorization, and so on. Additionally,System Console42 can be used to configure user schemes and control access to certain Identity Management System capabilities (such as “new user,” “deactivate user,” “workflow,” and so on).

The system ofFIG. 1 is used to protect a web site, network, Intranet, Extranet, etc. To understand how the system ofFIG. 1 protects a web site (or other structure), it is important to understand the operation of unprotected web sites. In a typical unprotected web site, end users cause their browsers to send a request to a Web Server. The request is usually an HTTP request which includes a URL. The Web Server then translates, or maps, the URL into a file system's name space and locates the matching resource. The resource is then returned to the browser.

With the system ofFIG. 1 deployed, Web Server18 (enabled byWeb Gate28,Access Server34, and Directory Server36) can make informed decisions based on default and/or specific rules about whether to return requested resources to an end user. The rules are evaluated based on the end user's profile, which is managed by the Identity Management System. In one embodiment of the present invention, the general method proceeds as follows. An end user enters a URL or an identification of a requested resource residing in a protected policy domain. The user's browser sends the URL as part of an HTTP request toWeb Server18.Web Gate28 intercepts the request. If the end user has not already been authenticated,Web Gate28causes Web Server18 to issue a challenge to the browser for log-on information. The received log-on information is then passed back toWeb Server18 and on toWeb Gate28.Web Gate28 in turn makes an authentication request toAccess Server34, which determines whether the user's supplied log-on information is authentic or not.Access Server34 performs the authentication by accessing attributes of the user's profile and the resource's authentication criteria stored onDirectory Server36. If the user's supplied log-on information satisfies the authentication criteria, the process flows as described below; otherwise, the end user is notified that access to the requested resource is denied and the process halts. After authenticating the user,Web Gate28queries Access Server34 about whether the user is authorized to access the resource requested.Access Server34 in turn queriesDirectory Server36 for the appropriate authorization criteria for the requested resource.Access Server34 retrieves the authorization criteria for the resource and, based on that authorization criteria,Access Server34answers Web Gate28's authorization query. If the user is authorized, the user is granted access to the resource; otherwise, the user's request is denied. Various alternatives to the above described flow are also within the spirit and scope of the present invention.

In one embodiment, the system ofFIG. 1 includes means for providing and managing identity profiles, and means for defining and managing authentication and authorization policies. In one implementation, user identity and authentication/authorization information is administered through delegable Administration roles. Certain users are assigned to Administration roles, thus conferring to them the rights and responsibilities of managing policy and/or user identities in specific portions of the directory and web name spaces. The capability to delegate Administration duties enables a site to scale administratively by empowering those closest to the sources of policy and user information with the ability to manage that information.

A role is a function or position performed by a person in an organization. An administrator is one type of role. In one embodiment, there are at least five different types of administrators: System Administrator, Master Access Administrator, Delegated Access Administrator, Master Identity Administrator, and Delegated Identity Administrator. A System Administrator serves as a super user and is authorized to configure the system deployment itself and can manage any aspect of the system.

A Master Access Administrator is assigned by the system administrator and is authorized to configure the Access Management System. The Master Access Administrator can define and configure Web Gates, Access Servers, authentication parameters, and policy domains. In addition, Master Access Administrators can assign individuals to Delegated Access Administrator roles. A Delegated Access Administrator is authorized to create, delete and/or update policies within their assigned policy domain (described below), and create new policy domains subordinate to their assigned policy domains. A Delegated Access Administrator may also confer these rights to others. A Master Identity Administrator, assigned by the System Administrator, is authorized to configure the Identity Management System, including defining and configuring end user identities and attributes, per attribute access control, who may perform new user and deactivate (revocation) user functions. Master Identity Administrators may also designate individuals to Delegate Identity Administrator roles. A Delegated Identity Administrator is selectively authorized to perform new user and deactivate user functions.

A policy domain is a logical grouping of Web Server host ID's, host names, URL prefixes, and rules. Host names and URL prefixes specify the course-grain portion of the web name space a given policy domain protects. Rules specify the conditions in which access to requested resources is allowed or denied, and to which end users these conditions apply. Policy domains contain two levels of rules: first level default rules and second level rules contained in policies. First level default rules apply to any resource in a policy domain not associated with a policy.

A policy is a grouping of a URL pattern, resource type, operation type (such as a request method), and policy rules. These policy rules are the second level rules described above. There are two levels of rules available (first and second levels) for authentication, authorization, and auditing. Policies are always attached to a policy domain and specify the fine-grain portion of a web name space that a policy protects. In practice, the host names and URL prefixes from the policy domain the policy belongs to are logically concatenated with the policy's URL pattern and the resulting overall patterns compared to the incoming URL. If there is a match, then the policy's various rules are evaluated to determine whether the request should be allowed or denied; if there is not a match, then default policy domain rules are used.

FIG. 2 illustrates a high level block diagram of a computer system which can be used for the components of the present invention. The computer system ofFIG. 2 includes aprocessor unit50 andmain memory52.Processor unit50 may contain a single microprocessor, or may contain a plurality of microprocessors for configuring the computer system as a multi-processor system.Main memory52 stores, in part, instructions and data for execution byprocessor unit50. If the system of the present invention is wholly or partially implemented in software,main memory52 can store the executable code when in operation.Main memory52 may include banks of dynamic random access memory (DRAM) as well as high speed cache memory.

The system ofFIG. 2 further includes amass storage device54, peripheral device(s)56, user input device(s)60, portable storage medium drive(s)62, agraphics subsystem64 and anoutput display66. For purposes of simplicity, the components shown inFIG. 1 are depicted as being connected via asingle bus68. However, the components may be connected through one or more data transport means. For example,processor unit50 andmain memory52 may be connected via a local microprocessor bus, and themass storage device54, peripheral device(s)56, portable storage medium drive(s)62, and graphics subsystem64 may be connected via one or more input/output (I/O) buses.Mass storage device54, which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use byprocessor unit50. In one embodiment,mass storage device54 stores the system software for implementing the present invention for purposes of loading tomain memory52.

Portablestorage medium drive62 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, to input and output data and code to and from the computer system ofFIG. 2. In one embodiment, the system software for implementing the present invention is stored on such a portable medium, and is input to the computer system via the portablestorage medium drive62. Peripheral device(s)56 may include any type of computer support device, such as an input/output (I/O) interface, to add additional functionality to the computer system. For example, peripheral device(s)56 may include a network interface for connecting the computer system to a network, a modem, a router, etc.

User input device(s)60 provide a portion of a user interface. User input device(s)60 may include an alpha-numeric keypad for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys. In order to display textual and graphical information, the computer system ofFIG. 2 includesgraphics subsystem64 andoutput display66.Output display66 may include a cathode ray tube (CRT) display, liquid crystal display (LCD) or other suitable display device. Graphics subsystem64 receives textual and graphical information, and processes the information for output to display66. Additionally, the system ofFIG. 2 includesoutput devices58. Examples of suitable output devices include speakers, printers, network interfaces, monitors, etc.

The components contained in the computer system ofFIG. 2 are those typically found in computer systems suitable for use with the present invention, and are intended to represent a broad category of such computer components that are well known in the art. Thus, the computer system ofFIG. 2 can be a personal computer, workstation, server, minicomputer, mainframe computer, or any other computing device. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, and other suitable operating systems.

FIG. 3 is a block diagram ofDirectory Server36.Directory Server36 stores user identity profiles102. Each identity profile includes a set of attributes for the particular end users.Group information104 is also stored, which describes logical relationships and groupings of users havingidentity profiles102 stored onDirectory Server36. A plurality ofpolicies106, each of which is associated with a policy domain as described above, are also stored onDirectory Server36. Revokeduser list108 identifies users previously (but no longer) allowed access to resources on their system. Shared secret(s)110 are keys stored onDirectory Server36 used for encrypting cookies set onbrowsers12 or14 after a successful user authentication. Shared secret(s) (keys)110 can change as often as desired by an administrator. In one embodiment of the present invention, previously valid keys are “grandfathered” such that both a current key and an immediately prior key will de-crypt encrypted cookies. Global sequence number (GSN)112 is a unique number stored onDirectory Server36 which is assigned to a policy domain change (first level default rules) or policy change (second level resource-specific rules) and updated in response to subsequent policy changes for cache flushing purposes. In one embodiment of the present invention, the GSN is incremented to the next sequential number after detection of a policy domain or policy change.User attribute list114 is a list of user identity profile attributes used by cached authentication and authorization rules.

FIG. 4 depicts an exemplar directory tree that can be stored onDirectory Server36. Each node on the tree is an entry in the directory structure.Node130 is the highest node on the tree and represents an entity responsible for the directory structure. In one example, an entity may set up an Extranet and grant Extranet access to many different companies. The entity setting up the Extranet isnode130. Each of the companies with Extranet access would have a node at a level belownode130. For example, company A (node132) and company B (node134) are directly belownode130. Each company may be broken up into organizations. The organizations could be departments in the company or logical groups to help manage the users. For example,FIG. 4 shows company A broken up into two organizations: organization A withnode136 and organization B withnode138. Company B is shown to be broken up into two organizations: organization C withnode140 and organization D withnode142.FIG. 4 shows organization A having two end users:employee1 withnode150 andemployee2 withnode152. Organization B is shown with two end users:employee3 withnode154 and employee4 withnode156. Organization C is shown with two end users: employee5 withnode158 and employee6 withnode160. Organization D is shown with two end users: employee7 withnode162 and employee8 withnode164.

Each node depicted inFIG. 4 can include one or more identity profiles stored inDirectory Server36. In one embodiment, there are different types of object-oriented classes for storing information for each identity profile. One exemplar class pertains to entities such asentity130, company A (node133), and company B (node134). A second exemplar class stores information about organizational units such as organization A (node136), organization B (node138), organization C (node140), and organization D (node142). In one embodiment, each of the organizations are departments in a company and each of the users are employees who work for that particular organization. A third exemplar class is for individual persons such as employee1 (node150),employee2, (node152), . . . employee8 (node164). Although the directory tree is depicted as having three levels, more or less than three levels can be used.

In a typical use of the Identity Management System shown inFIG. 4, a source from the Identity Management System attempts to access a target in the Identity Management System. For example, employee1 (node150) may seek to access the profile for employee4 (node156). Thus,node150 is the source andnode156 is the target. For efficiency purposes, one embodiment stores access information at the target and at the highest level for targets with common access rules. In some cases, access information is stored at a higher level even if a lower level does not include common access rules.

FIG. 5 is a flow chart describing the process for setting up an identity profile by an administrator having authority to do so. Instep200, the administrator selects the object class to be used for the directory entry or entries being created. As previously described, there are at least three classes: organization, organizational unit, and user. Instep200, the master identity administrator selects which class is to be used for the entry. After the object class is selected instep200, all possible attributes for the particular class appear on a graphical user interface (GUI) (step202). Instep204, the administrator selects one of the attributes. Instep206, the master identity administrator edits the access criteria for the attribute. Instep210, it is determined whether there are any more attributes to consider. If so, the method loops back tostep204. Otherwise, the process ofFIG. 5 is completed (step214).

FIG. 6 is a flowchart describing step206 ofFIG. 5, editing access criteria for an attribute. Instep230, the administrator selects where in the tree structure ofFIG. 4 to store the access information for the particular attribute under consideration. For example, if the administrator is setting up an identity profile for employee2 (node152) ofFIG. 4, attribute access information can be stored atnode152,node136,node132, ornode130. Instep230, it is determined which one of those available nodes will store the information. Instep232, the permissions to modify the attribute are set up using a policy. A policy can identify person(s) who can modify the attribute. The policy can identify a set of people by identifying a role, by identifying a rule for identifying people, by identifying one or more people directly by name, or by identifying a named group. Instep236, permissions are set up to determine who can view the attributes. The Identity Management System policy determines which users can view identity profile attributes by defining a role, defining a rule, identifying persons by name, or listing an identified group. In one embodiment, the rule mentioned above is an LDAP rule. In step238 (an optional step), the ability to edit the permissions are delegated to others. Instep240, a notify list is set up. The notify list identifies a set of zero or more persons who are notified (e.g. by email) when the attribute is modified.

In one embodiment, the Identity Management System includes a localized access feature. This feature restricts certain user's access to identity profiles within a defined locale. For example, if an entity sets up an Extranet similar to the tree ofFIG. 4, and allows two of its suppliers (e.g. company A and company B) to access the Extranet, company A may not want employees from company B to access identity profiles for employees of company A. In accordance with the present invention, a set of identity profiles can be defined as a locale. Users outside the locale can be restricted from accessing identity profiles inside the locale. Alternatively, users outside the locale can be restricted from accessing certain attributes of identity profiles inside the locale. The localized access feature can be used to prevent any nodes, includingnode132 and any nodes belownode132, from accessingnode134 and any node belownode134. The localized access feature can be used at other levels of granularity and/or at other levels of the organizational hierarchy. For example, users belownode136 can be blocked from accessing profiles belownode138,node140,node142,node134, etc.

FIG. 7 is a flow chart describing the process for configuring localized access. Instep262, a localized access parameter for the entire system ofFIG. 1 is set. This parameter turns on the localized access function. Instep266 ofFIG. 7, a class attribute can be set for localized access. Each identity profile has a set of attributes. One of those attributes is designated as the class attribute. The class attribute is used to identify the identity profile. A reference to a particular identity profile is a reference (or pointer) to the class attribute for the identity profile. The class attribute can be configured for localized access by setting up a localized access filter that identifies the locale. If the source of a request is in a different locale than the locale defined for the class attribute, then the source is denied access to the target. The localized access filter can be an absolute test such as “Company=Acme” or the filter can name another attribute (called a domain attribute). If the filter names a domain attribute (e.g. company attribute, address attribute, last name attribute, organization attribute, etc. ), then the filter is satisfied if the named attribute for source matches the named attribute for the target. For example, if the domain attribute named for the class attribute is “Company Name,” than a source can only access a target if the company name for the source is the same as the company name for the target. Using a domain attribute, rather than hard coding the criteria, is more dynamic because it depends on the run-time relationship of the source and target. In one embodiment, multiple domain attributes can be used to define the locale. Users whose domain attributes are equal, are in the same locale. A user can be a member of multiple locales.

Instep268, individual attributes for a profile can be configured for localized access. That is, some attributes in an identity profile can be configured for localized access, while other attributes are not. Each attribute can be provided with a localized access filter that identifies the locale for that attribute. The localized access filter can include an absolute test, an LDAP test or one or more domain attributes. In one embodiment, individual attributes are not configured instep268 if the class attribute for the profile has already been set. It is possible to configure the class attribute for localized access and not configure the other attributes for localized access. Similarly, in some embodiments it is possible to not configure the class attribute for localized access while configuring the other attributes for localized access.

In one embodiment, when a source seeks to access a particular attribute in a target, the system first checks to see if the localized access filter for the class attribute of the target is satisfied. If it is not satisfied, then access is denied. If it is satisfied, then the system first checks to see if the localized access filter for the particular attribute of the target is satisfied. If it is or it is not configured for localized access, then access can be granted. If the localized access filter for the particular attribute of the target is not satisfied, access to the particular attribute is denied. In summary, the localized access filter for the class attribute determines access to the entire identity profile, while the localized access filter for a specific attribute (other than the class attribute) determines access to the specific attribute. After the steps ofFIG. 7 are completed, the profiles (or portions of profiles) that have been set for localized access can only be accessed by those within the same locale.

FIG. 8 is a flow chart describing the process for accessing data in the Identity Management System. The data can be accessed for viewing, modifying, etc. As described above, the entity attempting to access a profile in the Identity Management System is the source and the profile being accessed is the target. Instep290, the source user's browser sends a request to access attributes of a target directory entry. Instep292, the request is received byUser Manager38. Instep294,User Manager38 accesses the target profile and the source profile onDirectory Server36. Instep296,User Manager38, based on the attribute settings created or modified by the process ofFIG. 5 and (possibly) the source profile, determines whether the source should have access to each of the different attributes of the target profile. This step is discussed in further detail below. Instep298,User Manager38 passes the information for the attributes that access is allowed for to the source's browser. Instep300, the attributes that the source may view are displayed on the source's browser.

FIG. 9 is a flow chart describing the process ofstep296 ofFIG. 8, determining whether the source should have access to the various attributes of the target. Instep320, the system determines whether a localized access violation for the class attribute has occurred. A localized access violation is found when the target's class attribute is configured for localized access and the source is not in the locale for the target. If there is a localized access violation, the method ofFIG. 9 is done (step344) and none of the attributes for the target may be accessed by the source. For example, if the source is employee1 (node150 ofFIG. 4), the target is employee8 (node164 ofFIG. 4), and all of company B is subject to localized access with a domain attribute set as “company ” (in one embodiment the actual syntax is %company%) a localized access violation will be found instep320.

If no localized access violation is found instep320, then one of the attributes for the target is selected instep322 andUser Manager38 determines whether the access information for that selected attribute is at the current level in the tree. Thefirst time step324 is performed, the current level in the tree is the level of the target. As previously explained, access information can be stored at the target's node or nodes above the target. If the access information is not found at the current level, then instep340, it is determined whether the system is inquiring at the top level of the directory structure (e.g. node130 ofFIG. 4). If the system is at the top level, then the system determines whether all attributes have been evaluated instep332. If all attributes have been evaluated, then the process ofFIG. 9 is done (step348). If all attributes have not been evaluated, then the system accesses the initial level again instep334 and loops back tostep322. If instep340, it is determined that the system is not at the top level, then the system moves up one level (step342) and loops back tostep324.

While instep324, if the access information for the attribute is at the current level being considered, then instep326 it is determined whether there is a local access violation for the attribute under consideration. If the particular attribute being considered was configured for localized access and the source is not in the relevant locale for the target, then a localized access violation occurs and the method ofFIG. 9 is done (step346). It will be appreciated that localized access can apply to entire profiles or only certain portions (certain attributes) of profiles. If the attribute under consideration was not configured for localized access, then there is no localized access violation for the attribute under consideration. If there is no localized access violation for the attribute under consideration, then the identity profile for the source is applied to any additional access criteria to see whether the source should have access to the target's attribute. If the criteria is met, access is granted instep330 and the method loops to step332. At the end of the process ofFIG. 9, a source will be granted access to zero or more attributes. Step300 ofFIG. 8 displays only those attributes for which the source has been granted access.

FIG. 10 is a flow chart describing the process ofstep320 inFIG. 9, determining whether a localized access violation has occurred for a class attribute. Instep360, the Identity Management System determines whether the localized access parameter is set. If not, there is no localized access violation. If so, then instep364, the system determines whether a class attribute is configured for localized access. If the class attribute is not configured for localized access, there is no local access violation (step362). If the class attribute is configured for localized access, then instep366 it is determined whether the localized access filter is satisfied (e.g. does the domain attribute for the target must match the domain attribute for the source?). If the localized access filter is satisfied, no localized access violation occurs (step362). If the localized access filter is not satisfied, then a localized access violation exists and access should be denied (step368).

FIG. 11 is a flow chart describing the process performed instep326 ofFIG. 9, determining whether there is a localized access violation for a particular attribute. Instep380, it is determined whether a localized access parameter is set. If not, thee is no localized access violation (step382). Otherwise, instep384, it is determined whether the particular attribute is configured for localized access. If the particular attribute is not configured for localized access, then there is no localized access violation (step382). If the particular attribute is configured for localized access, then instep386 it is determined whether the localized access filter for the attribute under consideration is satisfied. If the localized access filter is satisfied, then there is no localized access violation (step382). If the localized access filter is not satisfied, then there is a localized access violation and access should be denied (step388).

FIG. 12 is a flow chart describing the process of how a source user can modify an attribute of a target profile. Instep410, the source user attempts to modify an attribute. For example, in one embodiment the source user is provided a GUI which depicts the directory tree. The source user can select any node in the directory tree and click on a button to modify a target profile. Alternatively, the source user can type in a URL, distinguished name, or other identifying information for the target. Once presented with a target profile (e.g. the process ofFIG. 8), the user selects a particular attribute and attempts to modify it by selecting a modify button on the GUI. This request to modify is sent toUser Manager38. Instep412,User Manager38 searches for the modify criteria for the attribute in the target directory. This modify criteria is the information set up instep232 ofFIG. 6.User Manager38 searches in the current target directory. If the criteria is not found in the current directory being accessed (see step414), then it is determined whether the system is at the top of the directory tree structure (step416). If not, then the system moves up one level instep418. If the top of the directory structure is reached, then the source user is not allowed to modify the attribute (step420). Instep422,User Manager38 searches for the modify criteria in a new directory. Afterstep422, the method loops back tostep414. If instep414, it is determined that the criteria was found at the current level being considered, then instep430, the User Manager evaluates the criteria against the target user's identity profile. If the identity profile for the target user satisfies the criteria for modifying the attribute (step432) then the source user is allowed to modify the attribute (step434). Otherwise, the source user is not allowed to modify the attribute (step420).

FIG. 13 is a flow chart describing a process for automating the updating of identity profiles when a source user requesting the update is not allowed to modify the target profile. In one embodiment, the source user is the person identified by the target profile. Instep450, the source user requests modification of the target profile. This can be a request to modify any or all of the attributes for the target profile (e.g. address, telephone number, creation of the profile, deletion of the profile, etc.). Instep452, it is determined whether the target profile is protected. It is possible to set all attributes such that any source entity can modify the attributes In such a configuration; the profile is not protected. If the target profile is not protected, then, instep454, the target profile is modified as per the source user's request. If the target profile is protected, then instep456, theUser Manager38 issues an electronic message (“ticket”) sent to a responsible party requesting that the modification be made. The responsible party is a person granted access to modify a particular attribute and has the responsibility for doing so. Instep458, the ticket appears in a service queue accessible by the responsible party. The service queue can be a directory which stores all tickets or can be any database which is used to store the tickets. The responsible party may access a GUI which indicates all tickets in the service queue, the date they were received, and what service is requested. Instep460, the requesting source user can view whether a ticket has been serviced. Instep462, the ticket is fully serviced, partially serviced or denied by the responsible party. If the ticket is serviced, then the target will be modified. However, the target will not be modified if the ticket is denied. After the target is modified (or purposely not modified) and a ticket is responded to, the ticket is removed from the service queue instep464. In an optional embodiment, the source is automatically notified that the ticket is removed from the service queue and notified of the result of the request.

FIG. 14 provides a block diagram ofWeb Gate28. In one embodiment,Web Gate28 is a Web Server plug-in running onWeb Server18. In another embodiment,Web Gate28 is an NSAPI Web Server plug-in. In another embodiment,Web Gate28 is an ISAPI Web Server plug-in. In still a further embodiment,Web Gate28 is an Apache Web Server plug-in. In another embodiment, a plurality of Web Gates conforming to different plug-in formats are distributed among multiple Web Servers.

Resource cache502 caches authentication information for individual resources. The information stored inresource cache502 includes: request method, URL,retainer505, andaudit mask503. In one embodiment of the present invention,audit mask503 is a four bit data structure with separate bits identifying whether authentication and/or authorization successes and/or failures are audited (logged) for a given resource.

Authentication scheme cache506 stores authentication scheme information, including information necessary for the performance of each different authentication challenge scheme. For example, if the authentication scheme ID parameter of aresource cache502 entry references a “client certificate” authentication scheme, then the authentication scheme ID parameter of the entry would reference anauthentication scheme cache506 entry (keyed by the authentication challenge method ID). In one embodiment, authentication scheme cache stores redirect URL, authentication challenge method ID (identifying an authentication challenge method), challenge parameters for authentication and authentication level.Web Gate28 also stores the most recentglobal sequence number510 received fromAccess Server34 pursuant to a cache flushing operation, as further described below.

Event manager514 callsredirection event handler504, resource protectedevent handler508,authentication event handler512, orauthorization event handler516 to perform redirection, a resource protected method, an authentication method, or an authorization method (all further described herein), respectively.Redirection event handler504 redirectsbrowser12 or14 in response to redirection events initiated byAccess Server34 or other components ofWeb Gate28. Resource protectedevent handler508 performs steps in a method for determining whether a requested resource falls protected within a policy domain.Authentication event handler512 performs steps in a method for authenticating a user ofbrowser12 or14 upon a finding that a requested resource is protected.Authorization event handler516 performs steps in a method for determining whether a user ofbrowser12 or14 is authorized to access a requested resource upon a successful authentication or receipt of a valid authentication cookie, further described herein. Sync record table518 identifies all existing synchronization records not yet processed byWeb Gate28 as further described herein.

FIG. 15 provides a block diagram ofAccess Server34.Authentication module540 is provided for carrying out steps in a method for authenticating a user as further described herein.Authorization module542 is provided for carrying out steps in a method for authorizing a user to access a requested resource as further described herein.Auditing module544 carries out steps in a method for auditing (logging) successful and/or unsuccessful authentications and/or authorizations as further described herein. Audit logs546 store information logged byauditing module544 in accordance with the present invention.Audit logs sensors548 include one or more sensors that monitor the audit logs for certain types of events.Synchronization records550 are stored onAccess Server34 in accordance with a method for flushing caches as further described herein.

Access Server34 stores the most recentglobal sequence number554 received fromAccess Manager40 pursuant to a cache flushing operation.URL prefix cache564 stores the URL prefixes associated with policy domains that are protected by the Access Management System.URL prefix cache564 facilitates the mapping of requested resources to policy domains, as further described herein.URL prefix cache564 is loaded fromDirectory Server36 upon initialization ofAccess Server34.

Policy domain cache566 caches all default authentication rules of each policy domain in accordance with the present invention. Policy domain cache further stores an array ofrules565 listing all default and resource-specific rules associated with resources in a given policy domain. Each rule entry inarray565 includes the ID of the rule and compiled information about the URL pattern (resource) to which the rule applies.Array565 enablesAccess Server34 to quickly find the first level default authentication, authorization, and auditing rules for a given policy domain, as well as second level rules (authentication, authorization, and auditing rules) associated with particular policies in the policy domain.

Authentication scheme cache568 caches information necessary for the performance of different authentication challenge methods as similarly described above forauthentication scheme cache506 ofWeb Gate28.Authentication rule cache570 caches second level authentication rules associated with policies. The rules inauthentication rule cache570 are listed inarray565. Upon determining that a second level authentication rule exists and learning its ID (by looking in array565),Access Server34 can easily find the second level authentication rule inauthentication rule cache570. The second level rules are the rules associated with policies, discussed above.

Authorization rule cache572 caches first level default authorization rules as well as second level authorization rules. The rules inauthorization rule cache572 are listed inarray565. Upon determining that a first or second level authorization rule exists and learning its ID (by looking in array565),Access Server34 can easily find the applicable authorization rule for a given resource inauthorization rule cache572.

Audit rule cache574 caches first level default audit rules as well as second level audit rules. The rules inaudit rule cache574 are listed inarray565. Upon determining that a first or second level audit rule exists and learning its ID (by looking in array565),Access Server34 can easily find the applicable audit rule for a given resource inaudit rule cache574.

User profile cache576 stores identity profile attributes previously used in authentications, authorization, or audit steps, in accordance with the present invention.User policy cache578 stores the successful and unsuccessful authorization results for specific users requesting specific resources governed by authorization rules based on an LDAP filter or a group membership.User policy cache578 allowsAccess Server34 to quickly recall a user's authorization if the user has recently accessed the resource.

FIG. 16 is a flow chart which describes the process of creating a policy domain. Instep600, System Console42 (or Access Manager40) receives a request to create a policy domain. Instep602, the name of the policy domain and the description of the policy name are stored. Instep604, one or more URL prefixes are added to the policy domain. Instep605, one or more host ID's are added to the policy domain (optional). Next, one or more access rules are added to the policy domain. An access rule is a rule about accessing a resource. Examples of access rules include authorization rules, authentication rules, auditing rules, and other rules which are used during the process or attempting to access a resource. Instep606, a first level (default) authentication rule is added to the policy domain. In general, authentication is the process of verifying the identity of the user. Authentication rules specify the challenge method by which end users requesting access to a resource in the policy domain must prove their identity (authentication). As previously discussed, first level (default) authentication rules apply to all resources in a policy domain, while second level authentication rules are associated with policies that apply to subsets of resources or specific resources in the policy domain. In one embodiment, there is only one default authentication rule for a policy domain. If an administrator desires an authentication rule to apply to only a specific resource in the policy domain, a separate policy for that specific resource having a second level (specific) authentication rule should be defined, as discussed below. After setting up the authentication rule instep606, one or more first level or default authorization rules are added to the policy domain instep608. In general, an authorization rule determines who can access a resource. The default authorization rule allows or denies users access to resources within its applicable policy domain. If multiple authorization rules are created, then they are evaluated in an order specified instep610. Instep612, a first level (default) audit rule is configured for the policy domain. Instep614, zero or more policies are added to the policy domain. Instep616, the data for the policy domain is stored inDirectory Server36 and appropriate caches (optional) are updated. In one embodiment, an authorization rule or an authentication rule can be set up to take no action. That is, always grant authentication without any challenge or verification; or always grant authorization without any verification.

FIG. 17 is a flow chart describing the process of adding one or more authorization rules to a policy domain (step608 ofFIG. 16). Instep632, timing conditions are set up for the authorization rule. Timing conditions restrict the time when the authorization rule is in effect. For example, users can be allowed access to URLs in the policy domain only during business hours, Monday through Friday. In one embodiment, if timing conditions are not set, the authorization rule is always in effect. The timing conditions include selecting a start date, an end date, selecting a start time and an end time, selecting the months of the year, selecting the days of the month, and selecting the days of the week that the rule is valid. Insteps634 and636, authorization actions are set up. Authorization actions personalize the end user's interaction with the Web Server. Instep634, header variables are provided for authorization success events and authorization failure events. This feature allows for the passing of header variables about the end user (or other information) to other web-enabled resources. Web-enabled applications can personalize the end user's interaction with the Web Server using these header variables. As a simple example, the actions could supply each application with the user's name. An application could then greet the user with the message “hello<user's name>” whenever the user logs on. Header variables are variables that are part of an HTTP request.FIG. 40 below illustrates the format of an HTTP request that includesheader variables1554. If an authorization rule is set up with header variables as part of an authorization success action, then when a successful authorization occurs the HTTP request to the resource will include the header variables. Similarly, if there are header variables for an authorization failure, then an authorization failure event will include adding header variables to the HTTP request that redirects a browser to an authorization failure web page. The resources identified by the HTTP requests, that include the header variables can use the header variables any way desired. In one embodiment of the method ofFIG. 17, one or more groups can be specified for authorization to the resource(s).

FIG. 18 is a flow chart that describes the process of adding header variables to an HTTP request (seestep634 ofFIG. 17). Header variables can be added during an authorization success event, authorization failure event, authentication success event or authentication failure event. Instep650, the variable name is entered. Instep652, a text string is entered. Instep654, one or more LDAP attributes are entered. Instep656, it is determined whether any more header variables will be added. If not, the method ofFIG. 18 is done (step658). If so, the method ofFIG. 18 loops back tostep650.

The variable name entered instep650 is a value that appears in the HTTP header that names the variable. The downstream resource using the header variable will search for the variable name. The string entered is data that can be used by the downstream resource. The LDAP attribute(s) can be one or more attributes from the requesting user's identity profile. Thus, in the simple authorization success example described above, the variable name field can include “authorization success,” the return field can include “yes,” and the attribute field can include the name attribute for the user in the user's identity profile. Any of the attributes from the user's identity profile can be selected as a header variable.

Looking back atFIG. 17, instep636, are direct URL can be added for an authorization success event and a redirect URL can be entered for an authorization failure event. Step638 includes specifying which users are allowed to access the resource associated with the authorization rule. By default, users cannot access a resource until they are granted access rights to it. In one embodiment, there are at least four means for specifying who can access a resource. The first means is to explicitly name a set of users who can access the resource. A second means includes identifying user roles. The third means is to enter an LDAP rule that can be used to identify a set of users based on a combination of one or more attributes. A fourth means is to enter an IP address which will allow users of computers having the specified IP address to access the resource. Step640 is used to specify the users not allowed to access the resource associated with this rule. Identification of users, roles, LDAP rules, and IP addresses are entered instep640 in the same manner as entered instep638. It is possible that a particular user can be subject to both an allow access rule and a deny access rule. Step642 is used to set a priority between such rules.Optional step644 is used to define any POST data to be used for authorization if this feature is implemented. An HTTP POST request can include POST data in the body of the HTTP request (seeFIG. 40 below). POST data can also be submitted in query string form. One embodiment of the present invention allows POST data to be used for authorization purposes. Inoptional step644, an administrator defines which POST data is to be used for authorization purposes. If POST data is to be used for authorization, in order for an authorization rule to be satisfied, the POST request must include all the appropriate POST data and values for that POST data as defined instep644. However, it will be understood that POST data need not be used for authorization in all embodiments of the present invention. Step646 is used to set a priority of evaluation for the authorization rule relative to other authorization rules in a given policy. In one embodiment, if multiple authorization rules apply to a resource, this priority determines the order of evaluation.

FIG. 19 is a flow chart describing the process for adding an authentication rule (seestep606 ofFIG. 16). Instep670, a challenge scheme (also called an authentication scheme) is selected. An authentication scheme is a method for requesting log-on information (e.g. name and password) from end users trying to access a web resource. Within an authentication scheme is a challenge method (e.g. Basic, certificate or form). There can be more than one authentication scheme with the same challenge method (e.g. Basic over LDAP, Basic over NT Domain, . . . ). Various other authentication schemes can also be used. Instep672, header variables are added for authentication success and authentication failure events. Instep674, redirect URLs are added for authentication success events and authentication failure events.

FIG. 20 provides a flow chart depicting the process for configuring an audit rule (seestep612 ofFIG. 16). Instep680, the events to trigger an audit are selected. In one embodiment, authentication success, authentication failure, authorization success and authorization failure can be selected for auditing. Instep682, the information to be logged is selected for each particular event identified instep680. The information logged can include information about the event and/or user attributes from the identity profile for the user requesting the authentication or authorization.

FIG. 21 is a flow chart describing the process of adding a policy (seestep614 ofFIG. 16). Instep718, a resource type is specified. The resource type allows different resources to be handled by different policies, depending on the nature of the resource itself. For example, in one embodiment, the resource type will distinguish between resources accessed using HTTP and resources accessed using FTP. In another embodiment, Enterprise Java Beans (EJBs) are a possible resource type. In another embodiment, user-defined custom resource types are supported. Instep720, an operation type is specified. This allows different resources to be handled by different policies, depending on the operations used to request the resource. In one embodiment, the operations will be HTTP requests. Supported HTTP request methods include GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT, and OTHER. In another embodiment, if EJBs are identified as the resource type (step718), an EXECUTE operation can be specified instep720. In another embodiment, user-defined custom operations are supported. Instep722, a pattern for the URL path to which the policy applies is specified. This is the part of URL that does not include the scheme (“http”) and host/domain (“www.oblix.com”), and appears before a ‘?’ character in the URL. Instep724, a query string is specified. This is a set of variables and values that must be included in the specified order in an incoming URL for the policy to match and be activated. For example, in the URL “HTTP://www.zoo.com/animals.cgi?uid=maneaters&tigers=2” the values after the question mark (e.g. “uid=maneaters&tigers=2”) comprise a query string. Only a URL exhibiting the query string can match to this policy. For example, a URL with the “tigers” variable appearing before the “uid” variable will not match the above-identified policy. Instep726, query string variables are added. Query string variables include a name of a variable and the variable's corresponding value. Query string variables are used when it is a desirable that multiple variables are found in the query string, but the order is unimportant. Thus, for a policy with query string variables “uid=maneaters” and “tigers=2,” a URL with a query string having the appropriate uid and appropriate tigers variable, in any order, will match the policy. In order for a resource URL to apply to a policy, the path of the requested resource URL must match the path of the policy as well as any query string or query variables. As discussed above, POST data can be submitted in query string form (for example, in a form submission), and evaluated using the query string variables entered instep726.

The query string or query variables specified in the steps ofFIG. 21 do not need to uniquely identify a resource. Rather, they are used to identify a policy, which may apply to one or more resources.

Typically, the query data is added to a URL to access certain data from a resource. However, the query data can be used in the URL to identify the resource. Each application or resource is free to use the query data in any way that is in agreement with standards and norms known in the art.

Instep728 ofFIG. 21, the authentication rule is created in accordance with the method ofFIG. 19. Instep730, one or more authorization rules are created for the policy in accordance with the method ofFIG. 17. Instep732, an audit rule for the policy is configured in accordance with the method ofFIG. 20. Instep734, POST data (optional) is added to the policy. This POST data is used to map resources with policies.

The present invention supports the use of multiple authentication schemes. An authentication scheme comprises an authentication level, a challenge method, an SSL assertion parameter, a challenge redirect parameter, and authentication plug-ins. The authentication level represents an arbitrary designation of the level of confidence that an administrator has in a particular authentication scheme relative to other authentication schemes.

In one embodiment of the present invention, an authentication scheme can specify one of four challenge methods: none, basic, form, and X.509. If an authentication scheme's challenge method is set to “none,” no authentication is required to access a requested resource, thus allowing support for unauthenticated users. This challenge method can be used over both unsecured as well as SSL connections. The “basic” challenge method can also be used over both unsecured and SSL connections. The “X.509” challenge method can only be used over an SSL connection between a user's browser and Web Server host, because the authentication method invoked for an X509 challenge method is part of the SSL protocol. A “form” challenge method employs a custom, site-specific HTML form presented to the user, who enters information and submits the form. Subsequent processing is determined by the administrator at the time the authentication scheme is created. Form challenge methods can be used over both unsecured and SSL connections.

The SSL parameter of an authentication scheme identifies whether SSL is to be asserted on the connection to the user's browser by the Web Server. The challenge parameter identifies where to redirect a request for authentication for the particular authentication scheme. Authentication plug-ins are necessary for processing the user's supplied information. Authentication plug-ins can interface withAccess Server34 through an authentication API.

An authentication scheme that an attacker can easily and profitability eavesdrop upon is typically considered “weak.” In one embodiment, the basic authentication challenge method places the user's credential (supplied information), a simple password, “in the clear” over an unsecured network connection. However, the authentication scheme can be made stronger by passing the user's credential over an encrypted connection, such as SSL. In one embodiment, given two authentication schemes (one with and one without SSL), an access administrator will assign the authentication scheme without SSL to a lower authentication level than the authentication using SSL.

When a user first request a protected resource, the user is challenged according to the authentication scheme defined by the first level authentication rule in the applicable policy domain or the second level authentication rule in the applicable policy associated with the requested resource. If the user satisfies the authentication rule, an encrypted authentication cookie is passed to the user's browser indicating a successful authentication. Once authenticated, the user may request a second resource protected by a different policy domain and/or policy with a different authentication rule. The user will be allowed access to the second resource without re-authenticating if the authentication level of the authentication scheme used to successfully authenticate for the first resource is equal to or greater than the authentication level of the authentication scheme of the second resource. Otherwise, the user is challenged and asked to re-authenticate for the second resource in accordance with the second resource's higher level authentication scheme. Satisfaction of a higher or lower authentication level is determined by evaluating the authentication cookie sent by the user's browser when requesting the second resource. In one embodiment of the present invention, administrators can define an unlimited number of authentication levels.

Once authenticated, a user can explicitly log out, causing authentication cookies cached (or otherwise stored) by the user's browser to be destroyed or become invalid. Authentication cookies can also be set by an administrator to be destroyed after a maximum idle time has elapsed between requests to resources protected in accordance with the present invention.

FIG. 22 provides a flow chart for one embodiment of a method for authenticating, authorizing, and logging. Instep750, a user'sbrowser12 requests a web-enabledresource22 or24. The request is intercepted byWeb Gate28 instep752. The method then determines whether the requested resource is protected by an authentication and/or authorization rule instep753. If the resource is not protected, then access is granted to the requested resource instep795. If the requested resource is protected however, the method proceeds to step754. If the user has previously authenticated for a protected resource in the same domain, a valid authentication cookie will be passed bybrowser12 with the request instep750 and intercepted by Web Gate instep752. If a valid cookie is received (step754), the method attempts to authorize the user instep756. If no valid authorization cookie is received (step754), the method attempts to authenticate the user for the requested resource (step760).

If the user successfully authenticates for the requested resource (step762), then the method proceeds to step774. Otherwise, the unsuccessful authentication is logged instep764. Afterstep764, the system then performs authentication failure actions andWeb Gate28 denies the user access to the requested resource instep766. Instep774, the successful authentication of the user for the resource is logged. The method then performs authentication success actions instep766. In response to the successful authentication,Web Gate28 then passes a valid authentication cookie tobrowser12 instep780 which is stored bybrowser12. After passing the cookie instep780, the system attempts to authorize instep756.

Instep756, the method attempts to determine whether the user is authorized to access the requested resource. If the user is authorized (step790), the method proceeds to step792. Otherwise, the unsuccessful authorization is logged instep796. Afterstep796, the method performs authorization failure actions (step798) andWeb Gate28 denies the user access to the requested resource. If authorization is successful (step790), then the successful authorization of the user is logged instep792, authorization success actions are performed instep794, and the user is granted access to the requested resource instep795. In one embodiment ofstep795, some or all of HTTP request information is provided to the resource.

FIG. 23 provides a flow chart of a method for determining whether a requested resource is protected (seestep753 ofFIG. 22). In one embodiment, the steps ofFIG. 23 are performed by resource protectedevent handler508 andAccess Server34. Instep830,Web Gate28 determines whether an entry for the requested resource is found inresource cache502. If an entry is found, the cache entry is examined instep842 to determine whether the cache entry indicates that the resource is protected (step832) or unprotected (step840). If an entry for the requested resource is not found inresource cache502, thenWeb Gate28 passes the URL of the requested resource request method toAccess Server34instep833.Access Server34 attempts to map the requested resource to a policy domain using URL prefix cache564 (step836).

Ifmapping step836 is unsuccessful (step838), then the requested resource is deemed to be unprotected (step840). However, if a successful mapping has occurred (step838), thenAccess Server34 retrieves the authentication rule (step844) and audit rule (step846) associated with the requested resource.Access Server34 then passes the authentication scheme ID from the authentication rule,audit mask503,retainer505 and any POST data received toWeb Gate28 instep848.Web Gate28 caches the authentication scheme ID from the authentication rule,audit mask503,retainer505 and POST data in resource cache502 (step850). Since the requested resource was successfully mapped to a policy domain instep836, the resource is deemed protected (step832).

FIG. 24 is a flow chart describing the process for mapping a resource to a policy domain (seestep836 ofFIG. 23). Instep900,Access Server34 receives the URL of the requested resource fromWeb Gate28.Access Server34 then compares a URL prefix of the requested resource with entries inURL prefix cache564 instep902. In one embodiment, whenstep902 is called for the first time inFIG. 24, the URL prefix of the requested resource equals the file name. Thus, if the URL of the requested resource reads: “http://www.oblix.com/oblix/sales/index.html” then the URL prefix first compared bystep902 will be: “/oblix/sales/index.html.” If a matching URL prefix is found (step904),Access Server34 proceeds to step916.

Instep916,Access Server34 determines whether the policy domain associated with the matching URL prefix calls for one or more host ID's. In one embodiment, resources are mapped to certain policy domains if the port number of a resource request and the location of the resource itself conform to one or more host ID's. Thus, multiple policy domains can be associated with identical URL prefixes, each policy domain requiring different host ID's (or none at all). If the policy domain considered instep916 requires a matching host ID, thenAccess Server34 proceeds to step917. Otherwise,Access Server34 proceeds directly to step906 where the requested resource is mapped to the policy domain associated with the currently considered URL prefix. Instep917, if a matching host ID is found,Access Server34 proceeds to step906. If no matching host ID is found,Access Server34 returns to step904 where it determines whether additional matching URL prefixes exist.

If no matching URL prefix is found instep904, thenAccess Server34 proceeds to step908. Instep908,Access Server34 crops the right-most term from the resource URL prefix compared instep902. Thus, if the resource URL prefix compared instep902 reads: “/oblix/sales/index.html” then the resource URL prefix will be cropped instep908 to read: “/oblix/sales.” If the entire resource URL prefix has been cropped instep908 such that no additional terms remain (step910), then the method proceeds to step912 whereAccess Server34 concludes that there is no policy domain associated with the requested resource. However, if one or more additional terms remain in the resource URL prefix, then the method returns to step902 where the cropped URL prefix is compared with URL prefixes cached inURL prefix cache564.

As will be apparent fromFIG. 24, the method recurses throughsteps902,904,908, and910 until either a match is found (step904) or the entire resource URL prefix has been cropped (step910). In any case, the method ofFIG. 24 will inevitably return either a successful mapping (step906) or no mapping (step912).

FIG. 25 provides a flow chart describing a method for loading an authentication rule (seestep844 ofFIG. 23). Instep930,Access Server34 loads the first level (default) authentication rule for the policy domain mapped instep836 ofFIG. 23 fromDirectory Server36 intoauthentication rule cache570. In one embodiment, success and failure actions are part of all authentication and authorization rules. In one embodiment,Access Manager40 maintains auser attribute list114 onDirectory Server36.User attribute list114 identifies all user attributes used by authentication and authorization actions loaded intoauthentication rule cache570 andauthorization rule cache572. In this step,Access Server34 also builds array565 (previously described above) and loads it intopolicy domain cache566.Array565 includes all second level rules and patterns associated with each of the policies for the policy domain.Access Server34 then selects a second level rule in array565 (step931). The selected second level rule is part of a policy. Instep932,Access Server34 performs a pattern matching method (further described below) for determining whether the rule applies to the requested resource. If so, thenAccess Server34 proceeds to step935; otherwise,Access Server34 determines whether all rules inarray565 have been evaluated (step933). If, instep933, it is determined that not all of the rules in the array have been evaluated, thenAccess Server34 selects the next rule in array565 (step934) and returns to step932. Once all rules inarray565 have been considered (step933), the first level authentication rule previously loaded instep930 is returned as the authentication rule, no second level authentication rule is loaded intoauthentication rule cache570, and the method ofFIG. 25 is done (step937). If an associated policy was found instep932, thenauthentication module540 caches the second level authentication rule and success and failure actions for the rule in authentication rule cache570 (step935), returns that second level authentication rule (step936), and the method is done (step937).

FIG. 26 is a flow chart describing a method for determining whether a policy is associated with a resource (seestep932 ofFIG. 25). A policy URL can contain the following three types of patterns. All three types of patterns were referenced inFIG. 21:

1. Pattern on the path of the URL: This is the part of URL that does not include the scheme (“http”) and host/domain (“www.oblix.com”), and appears before a ‘?’ character in the URL. In the example URL:

http://www.oblix.com/oblix/sales/index.html?user=J. Smith&dept=engg the absolute path is “/oblix/sales/index.html.”

2. Pattern on name value pairs in the URL: This may be a set of patterns. They apply to query data (data appearing after the ‘?’ character in the URL when operation is GET, or the POST data if operation is POST) and are configured as name (no pattern allowed) plus a pattern or value. For example:

	variable name	pattern
	user	*Smith
	dept	*sales*

If multiple name value pairs are specified, they all must match to the incoming resource URL. So the URL:

http://www.oblix.com/oblix/sales/index.html?user=J. Smith&dept=engg will not match this pattern set. This pattern does not include a notion of order to these name-value pairs. A URL:

http://www.oblix.com/oblix/sales/index.html?dept=sales&user=J. Smith (with reverse order of “dept” and “user”) will also satisfy this pattern. This is important because it is usually difficult to control the order of name value pairs in GET/POST query data.

3. Pattern on the entire query string: This is useful when an administrator desires to enforce an order on the query string. For example, a pattern “user=*Smith*sales” will match query string “user=J. Smith&dept=sales.”

A policy can contain one or more of above types of patterns. If multiple patterns are specified in one policy, they ALL must match to the incoming resource URL. If not, that policy doesn't apply to the incoming resource URL.

Patterns used for one embodiment of the current invention can use the following special characters:

1. ?: Matches any one character other than ‘/’. For example,“a?b” matches “aab” and “azb” but not “a/b.”

2. *: Matches any sequence of zero or more characters. Does not match ‘/’. For example, “a*b” matches “ab,” “azb,” and “azzzzzzb but not “a/b.”

3. [“set”]: Matches one from a set of characters. “set” can be specified as a series of literal characters or as a range of characters. A range of characters is any two characters (including ‘-’) with a ‘-’ between them. ‘/’ is not a valid character to include in a set. A set of characters will not match ‘/’ even if a range which includes ‘/’ is specified. Examples includes: “[nd]” matches only “n” or “d”; “[m-x]” matches any character between “m” and “x” inclusive; “[--b]” matches any character between “-” and “b” inclusive (except for “/”); “[abf-n]” matches “a,” “b,” and any character between “f” and “n” inclusive; and “[a-f-n]” matches any character between “a” and “f” inclusive, “-,” or “n.” The second “-” is interpreted literally because the “f” preceding it is already part of a range.

4. {“pattern1,” “pattern2,” . . . }: Matches one from a set of patterns. The patterns inside the braces may themselves include any other special characters except for braces (sets of patterns may not be nested). Examples includes: “a{ab,bc}b” matches “aabb” and “abcb”; “a{x*y,y?x}b” matches “axyb,” “axabayb,” “ayaxb,” etc.

5. “/ . . . /”: Matches any sequence of one or more characters that starts and ends with the ‘/’0 character. Examples includes: “/ . . . /index.html” matches “/index.html,” “/oblix/index.html,” and “/oblix/sales/index.html,” but not “index.html,” “xyzindex.html,” or “xyz/index.html”; and “/oblix/ . . . /*.html” matches “/oblix/index.html,” “/oblix/sales/order.html,” etc.

6. “\”: Any character preceded by a backslash matches itself. Backslash is used to turn off special treatment of special characters. Examples include “abc\*d” only matches “abc*d”; and “abc\\d” only matches “abc\d.”

To increase the speed of pattern matching, the system tries to do some work up front. WhenAccess Server34 loads a pattern in its cache, it creates an object. This object's constructor “compiles” the pattern. This compiling is essentially building a simple state machine from one pattern to other, i.e., it creates a chain of “glob nodes.” Each glob node consists of either one pattern or a node set. For example, consider pattern:

• / . . . /abc*pqr{uv,xy*}.
  The chain would look like:
• node(“/ . . . /”)→node(“abc”)→node(“*”)→node(“pqr”)→nodeset(node(“uv”), (node(“xy”)→node(“*”)))

Once the chain is constructed, it is used to match a resource URL to the pattern. Each node or node set in this chain takes a pointer to a string, walks it and decides if it matches the pattern held by the node. In doing so, it also moves this pointer further up in the string. For example, when the server gets a URL “/1/3/abcdepqrxyz,” the system takes this string and starts walking the chain. Below is an example of evaluation at each node/node set and pointer (*p) in the string. Note that the original string is not modified. To begin with lets assume that the pointer points to the beginning of the string: *p→“/1/3/abcdepqrxyz.”:

Step 1: node(“/.../”) ---> MATCHES ---> advance *p -> “abcdepqrxyz.”
Step 2: node(“abc”) ---> MATCHES ---> advance *p -> “depqrxyz.”
Step 3: node(“*”) ---> *matches everything except special characters (

	unescaped ’?,’ ’*,’ ’[,’ ’],’ ’{,’ ’},’ ’/’), so at this point,
	the system tries matching to the next node, node(“pqr”) like this:

	a)	does *p->“depqrxyz” match node (“pqr”)? NO,advance *p
		-> “epqrxyz.”
	b)	does *p->“epqrxyz” match node (“pqr”)? NO,advance *p
		-> “pqrxyz.“
	c)	does *p->“pqrxyz” match node (“pqr”)? YES,advance *p->
		“xyz.” If we walked to the end of string and
		didn't find a “pqr” (for example in case of
		URL “/1/3/abcdefgh”) there is no match.

Step 4: nodeset(node(“uv”),(node(“xy”)-->node(“*”))):

A nodeset will match

	incoming string (in the example, *p->“xyz”) to one of set members.
	In this case “xyz” does not match “uv,” but it does match “xy*.” So
	there is a MATCH and *p-> ’\0.’

Step 5: The pointer is at the end of the string. So the match is successful.

At any point, if the system finds a node that does not match its string, the system stops processing and concludes that the string does not match the pattern. For example, a URL “/1/3/dddddd” will clearstep 1 above, but will fail step2, so the matching stops afterstep 2.

Referring toFIG. 26, instep940,Access Server34 retrieves the policy information frompolicy domain cache566. The policy information can include one or more of the following: a URL absolute path, a query string, and zero or more query variables. Instep941,Access Server34 determines whether requested resource matches the policy resource type (seeFIG. 21). If the resource type does not match,Access Server34 skips to step952. However, if the resource type does match,Access Server34 proceeds to step942. Instep942,Access Server34 determines whether the operation used to request the resource matches policy operation type (seeFIG. 21). If the operation type does not match,Access Server34 skips to step952. If the operation type does match,Access Server34 proceeds to step943.

Instep943, the policy URL absolute path, query variables, and query strings are broken up into various nodes, as described above. Instep944, the various nodes are stored.Access Server34 accesses the requested resource URL instep946. Instep948, the first node of the policy URL is considered byAccess Server34. Instep950,Access Server34 considers whether the considered node matches the resource URL, as described above. If the first node does not match, then the entire policy will not match (step952). If the node does match the resource URL, or if there are no nodes for the policy, then instep954 it is determined whether there are any more nodes to consider. If more nodes remain to be considered, then instep956 the next node is considered and the method loops back tostep950. If there are no more nodes (step954), the query string for the policy is compared to the query string of the resource URL instep958. If the query string for the policy exactly matches the query string for the resource URL, or if there is no query string for the policy, then the method continues withstep960. If the query string for the policy does not match the query string for the resource URL, then the resource URL does not match and is not associated with the policy (step952).

Instep960, it is determined whether there are any query variables (seeFIG. 21) to consider that have not already been considered. If there are query variables to consider, then the next query variable is accessed instep964. The accessed query variable is searched for in the resource URL instep965. If the query variable is found in the resource URL and the value for the query variable matches the stored value query variable in for the policy (step966), then the method continues atstep960; otherwise,Access Server34 proceeds to step967. The purpose ofsteps960,964,965, and966 is to determine whether each of the query variables (and associated values) defined for a policy are found, in any order, in the resource URL. If all of the query variables are in the URL with the appropriate values, than there is a match (step970). In one embodiment, the query string and the query variables are in the portion of the URL following the question mark.

If in step966 a match is not found, then it is determined whether a match may still be possible using POST data. In one embodiment, resources are mapped to policies by matching POST data submitted with resource requests. Thus, different policies can be associated with a given resource, depending on the contents of the POST data. For example, a user may request a resource during the course of submitting an online form containing POST data. Applicable policies can be mapped on the basis of POST data added to the policy instep734 ofFIG. 21. Instep967,Access Server34 determines whether the policy operation type is an HTTP POST request. If not, then there is no match (step952). However, if the operation type is an HTTP POST request, thenAccess Server34 proceeds to step968 whereAccess Server34 requests and receives the POST data fromWeb Gate28. In one embodiment,Web Gate28 transmits a flag with all POST requests forwarded toAccess Server34. When POST data is transmitted with an HTTP POST request, the flag is set. If no POST data is transmitted, then the flag is not set. In another embodiment,retainer505 is transmitted byAccess Server34 toWeb Gate28 when requesting POST data.Retainer505 is returned byWeb Gate28 toAccess Server34 with the POST data, thus indicating which policy to continue evaluating instep969. Instep969,Access Server34 evaluates whether the POST data received instep968 matches the POST data required by the policy to achieve a match (seeFIG. 21). If the POST data matches, then the method proceeds to step970. Otherwise, the method proceeds to step952.

FIG. 26A provides a flow chart detailing the steps performed when matching a resource with a specific policy using POST data instep969 ofFIG. 26. In one embodiment, the steps ofFIG. 26A are performed byauthentication module540. Instep980,Access Server34 selects the first data required for matching the policy under consideration. Then, instep981,Access Server34 selects the first item of POST data received instep968 ofFIG. 26.Access Server34 compares the POST data with the required data (step982). If a match is found (step983), Access Server proceeds to step987. Otherwise,Access Server34 proceeds to step984 where it determines whether all of the POST data received has already been compared instep982. If additional POST data remains to be compared,Access Server34 selects the next item of POST data received (step986) and loops back tostep982. If all received POST data has already been compared (step982) and no match was found (step984), thenAccess Server34 returns no match (step985). Instep987,Access Server34 determines whether additional POST data is required to be matched in order to match the specific policy under consideration with the requested resource. If additional data is required,Access Server34 selects the next required data (step988) and loops back tostep981. If no additional data is required,Access Server34 returns a match (step989).

FIG. 27 provides a block diagram of a retainer data structure (retainer)505 that is passed byWeb Gate28 toAccess Server34 to identify the policy domain and policy previously mapped instep836 ofFIG. 23 and step932 ofFIG. 25, respectively.Retainer505 is cached inresource cache502 instep850 ofFIG. 23.Retainer505 contains thepolicy domain ID992 of the mapped policy domain to be used in authorization and logging steps, thepolicy ID994 for an applicable policy residing in the mapped policy domain, andID996 for the applicable authentication scheme. Thus, by passingretainer505 rather than the complete URL of the requested resource,Web Gate28saves Access Server34 from having to repeatedly remap the requested resource to a policy domain and policy during authorization and logging.

FIG. 28 provides a flowchart of a method for authenticating a user for various combinations of domains and Web Servers through a single authentication performed by the user. As will be apparent to those skilled in the art, an Internet domain can reside on a single Web Server, or be distributed across multiple Web Servers. In addition, multiple Internet domains can reside on a single Web Server, or can be distributed across multiple Web Servers. In accordance with the present invention, the method ofFIG. 28 allows a user to satisfy the authentication requirements of a plurality of domains and/or Web Servers by performing a single authentication.

In the simplest case, all of an e-business host company's Web Servers will be in the same domain (i.e. oblix.com). When a user successfully authenticates at one of the Web Servers, the Web Gate running on the authenticating Web Server causes the Web Server to return an encrypted cookie, indicating a successful authentication. Subsequent requests by the browser to the domain will pass this cookie (assuming the cookie applies to the requested URL), proving the user's identity; therefore, further authentications are unnecessary.

In a more complex case, an e-business host company's web presence incorporates associated web sites whose Web Servers have names in multiple domains. In such a multiple domain case, each of the associated portal Web Servers use a Web Gate plug-in configured to redirect user authentication exchanges to the e-business host's designated web log-in Web Server. The user is then authenticated at the e-business host's web log-in server, and an encrypted cookie is issued for the e-business host's domain to the user's browser. The user's browser is then is redirected back to the original associated portal's site where the Web Gate creates a new cookie for the associated portal's domain and returns it to the user's browser.

As a result, the user is transparently authenticated in both the original associated portal's domain and the e-business host's domain. The process is transparently performed for each different associated portal that a user may visit during a session. The present invention's associated portal support easily supports single Web Servers having multiple DNS names in multiple domains, and/or multiple network addresses. In accordance with the present invention, this multiple domain authentication enables “staging” of web sites. For example, a new edition of a web site can be deployed on a separate set of servers, and then mapped to policy domains protected by the present invention by simply updating the policy domain's host ID's.

In one embodiment, the steps ofFIG. 28 are performed byauthentication event handler512 andredirection event handler504. Instep1020,authentication event handler512 determines whether single or multiple domains are protected in a given deployment of the present invention. If only a single domain is protected, then the method proceeds to step1022 where an authentication is attempted at the single domain. If the single domain is distributed across multiple Web Servers, then the domain attribute of the cookie set by the authenticating Web Server instep1022 is set to broadly include all Web Servers in the domain.

If multiple domains are protected, the method proceeds to step1024 whereauthentication event handler512 determines whether the multiple protected domains all reside on a single Web Server. For example, a single machine intranet.oblix.com maybe addressed in multiple ways such as: sifl.oblix.com, intranet, asterix.oblix.com, or 192.168.1. In accordance with the present invention, when multiple domains reside on a single Web Server, an administrator will designate exactly one of the domains a “preferred host domain.” Ifstep1024 indicates that all protected domains reside on the same Web Server, thenauthentication event handler512 determines whether the domain of the requested resource is a preferred host (step1026). If it is a preferred host, thenauthentication event handler512 attempts to authenticate the user at the preferred host domain in step1030 (further described below with respect toFIG. 30). Otherwise,redirection event handler504 redirectsbrowser12 to the preferred host domain (step1028) for authentication (step1030). Referring to step1024, if the multiple protected domains reside on multiple Web Servers, thenauthentication event handler512 proceeds to step1032.

In one embodiment, a single policy domain and/or policies are created for the preferred host domain while no policy domains or policies are created for the other domains residing on the same web server. All resource requests made to any of the multiple protected domains residing on the same web server are redirected to the preferred host domain, thus requiring the user to authenticate according to the preferred host domain's policy domain and/or policies. As a result, after authentication at the preferred host domain, the user is transparently authenticated for all other domains residing on the same web server. When subsequent resource requests for resources in domains residing on the same web server are redirected to the preferred host domain, the prior successful authentication for the host domain can be confirmed by the existence of a valid authentication cookie for the preferred host domain. If such a cookie exists, then the user need not re-authenticate for the requested resource. In one embodiment, if subsequent resource requests made to the preferred host domain (or any of the other domains on the same web server) require a higher level of authentication, or if a previously valid authentication has expired, the user will be required to re-authenticate at the preferred host domain in accordance with the method ofFIG. 28.

FIG. 29 provides a block diagram of a plurality of Web Servers, each hosting a different domain accessible bybrowser1082. In accordance with the present invention, when multiple domains are protected and distributed across multiple Web Servers, the administrator will identify exactly one of the domains a “master domain.” As identified inFIG. 29,Web Server1070 hosts master domain A.com, whileWeb Servers1072 and1074 host domains B.com and C.com, respectfully. An end user's resource request is illustrated inFIG. 29 bypath1084 frombrowser1082 toWeb Server1072.

Referring back toFIG. 28, ifauthentication event handler512 determines that the domain of the requested resource is a master domain (step1032), thenauthentication event handler512 attempts to authenticate at the master domain (step1034). Otherwise,redirection event handler504 redirectsbrowser12 to the master domain (step1036). The user then authenticates at the master domain (step1038). The redirection and authentication ofsteps1036 and1038 are illustrated inFIG. 29 bypath1086. Upon a successful authentication at the master domain, the master domain Web Server passes an authentication cookie to the user's browser (step1040) and re-directs the user's browser back to the first domain accessed by the user (step1042). Also instep1042, the master domain passes information contained in the master domain authentication cookie to the first domain in the query data portion of the redirection URL.Steps1040 and1042 are illustrated bypaths1088 and1090, respectively inFIG. 29. Instep1044, the Web Gate of the first domain Web Server extracts the master domain authentication cookie information from the redirection URL, thus confirming the user's authentication at the master domain and resulting in a successful authentication (step1046). The first domain Web Server (B.com) then sends its own authentication cookie to web browser1082 (as depicted by path1092) in accordance withstep780 ofFIG. 22, previously described above. Any subsequent authentication bybrowser1082 at domain C.com onWeb Server1074 follows the method ofFIG. 28.

FIG. 30 provides a flow chart of the method for authenticating, as performed insteps1022,1030,1034, and1038 ofFIG. 28. In one embodiment, the steps ofFIG. 30 are performed byauthentication event handler512. Instep1120,authentication event handler512 accessesresource cache502 to determine what authentication challenge method is to be used for the given resource.Authentication event handler512 then accessesauthentication scheme cache506 instep1122 to determine whether the authentication scheme associated with the requested resource has been previously cached. If the authentication scheme is found,authentication event handler512 determines the specific type of challenge method instep1126. If the challenge scheme was not found instep1122,authentication event handler512 loads the authentication rule associated with the requested resource fromDirectory Server36 in step1124 (further described below inFIG. 31), and then proceeds to step1126.

Instep1126,authentication event handler516 discerns whether the authentication challenge scheme retrieved instep1122 or1124 calls for basic, form, certificate, or no authentication. If the challenge scheme indicates basic authentication, then the method proceeds to step1128 and performs basic authentication. If the challenge scheme indicates form authentication, then the method proceeds to step1130 and performs form authentication. If the challenge scheme indicates certificate authentication, then the method proceeds to step1132 and performs certificate authentication. If the challenge scheme indicates that no authentication is required (step1134), then the user is not challenged, authentication is not performed (in one embodiment, the system skips to step756 ofFIG. 22 and in another embodiment the system skips to step774 ofFIG. 22).

FIG. 31 provides a flow chart describing the method of loading an authentication challenge scheme from Directory Server36 (step1124 ofFIG. 30). In one embodiment, the steps ofFIG. 31 are performed byauthentication event handler512 andAccess Server34. Instep1160,authentication event handler512 requests the authentication challenge scheme to be read fromAccess Server34. If the authentication challenge scheme is found in authentication scheme cache568 (step1162), thenAccess Server34 proceeds to step1168. Otherwise,Access Server34 retrieves the requested authentication challenge scheme from Directory Server36 (step1164). Upon retrieval,Access Server34 caches the authentication challenge scheme in authentication scheme cache568 (step1166), and proceeds to step1168. Instep1168,Access Server34 passes the retrieved authentication challenge scheme toWeb Gate28.Web Gate28 then caches the authentication challenge scheme in authentication scheme cache506 (step1170).

FIG. 32 provides an exemplar method for performing basic authentication (step1128 ofFIG. 30). In one embodiment, the steps ofFIG. 32 are performed byauthentication event handler512 andauthentication module540. Instep1202,authentication event handler512 instructsbrowser12 to prompt the user for a user ID and password. In response, the user enters and the user's browser submits the requested user ID and password (step1204). Instep1206,Web Gate28 intercepts the user submission andauthentication event handler512 passes the user ID and password toAccess Server34, along withretainer505, thus identifying a policy domain and policy applicable to the requested resource. AccessServer authentication module540 then authenticates the user using the user ID and password instep1208. Instep1210,authentication module540 returns the authentication result, authentication success or failure actions, and any user attributes required by the actions toWeb Gate28.

FIG. 33 provides a flow chart describing an exemplar method used by the Access Server to authenticate using a user ID and password (step1208 ofFIG. 32). In one embodiment, the steps ofFIG. 33 are performed byauthentication module540. Inoptional step1230,authentication module540 searchesuser profile cache576 for a user identity profile entry having a user ID attribute matching the user ID received fromWeb Gate28.User profile cache576 is a hash table of user identity profile attributes that can be used for authentication, authorization, or auditing. In one embodiment, the user ID attribute would appear inuser profile cache576 if it was previously used in a successful authentication. If a match is found (optional step1232), thenauthentication module540 proceeds to step1234. If no match is found, thenauthentication module540 proceeds to step1236.

In another embodiment, steps1230 and1232 ofFIG. 33 are not performed. In such an embodiment, the method ofFIG. 33 begins withstep1236 where it searches user identity profiles102 in Directory Server36 (not user profile cache576) for a user identity profile having a user ID attribute matching the user ID received fromWeb Gate28. If no matching user identity profile attribute is found in Directory Server36 (step1238), then the method proceeds to step1241. If a matching user identity profile attribute is found in Directory Server36 (step1238), thenauthentication module540 binds to the directory using the distinguished name from the matching user identity profile entry and the password received from Web Gate28 (step1234). If the bind is unsuccessful (step1240), thenauthentication module540 proceeds to step1241 where it determines whether an entry for the current user is found inuser profile cache576. If so,authentication module540 proceeds to step1243. Otherwise,authentication module540 retrieves all profile attributes of the current user appearing inuser attribute list114 and caches them in user profile cache576 (step1242). Instep1243,authentication module540 returns an unsuccessful authentication result.

If the bind is successful (step1240), thenauthentication module540 accesses revokeduser list582 to determine whether the user ID received from Web Gate appears on revokeduser list582. If the user ID is on the revoked user list (step1244),authentication module540 proceeds to step1241. If the user ID is not on the revoked user list, thenauthentication module540 determines whether an entry for the user is found in user profile cache576 (step1250). If not,authentication module540 retrieves all profile attributes of the current user appearing inlist114 and caches them in user profile cache576 (step1254). If an entry was found, the method skips to step1260. Instep1260, the method returns a successful authentication result.

FIG. 34 provides a flow chart describing a method for performing form authentication (step1130 ofFIG. 30). In one embodiment, the steps ofFIG. 34 are performed byauthentication event handler512,redirection event handler504,browser12, andauthentication module540. Instep1308,authentication event handler512 sets a “form login” cookie onbrowser12. The cookie includes the URL of the requested resource.Authentication event handler512 then redirectsbrowser12 to an authentication form URL (step1310). Instep1312,Web Gate28 allows the authentication form referenced by the authentication form URL to pass tobrowser12. The user then fills out the authentication form (step1314) and transmits (e.g. post data) the information from the authentication form (step1316), passing the form login cookie previously set instep1308.Authentication event handler512 then extracts the URL of the requested resource from the form login cookie (step1318), and passes the user ID and password filled out by the user in the authentication form (submitted as POST data) to Access Server34 (step1320).

Instep1322,authentication module540 authenticates the user for the requested resource using the user's id and password received fromWeb Gate28, performing the steps ofFIG. 33 previously described above. Instep1324,authentication module540 returns the authentication result, authentication actions, and user attributes toWeb Gate28.Authentication event handler512 then sets the form login cookie (previously set in step1308) to indicate that the authentication process is completed (step1326).

FIG. 35 is a flow chart describing a method for performing certificate authentication (step1132 ofFIG. 30). In one embodiment of the present invention, client certificate authentication is performed using Web Servers employing the Netscape Enterprise Server plug-in interface (NSAPI). In another embodiment, client certificate authentication is performed for Web Servers employing the Microsoft Internet Information Server plug-in interface (ISAPI). In yet another embodiment, client certificate authentication is performed on a plurality of Web Servers, with a first subset of the Web Servers employing NSAPI and a second subset employing ISAPI. Other Web Servers can also be used.

In one embodiment, the steps ofFIG. 35 are performed byauthentication event handler512,redirection event handler504,browser12, andauthentication module540. Instep1348,authentication event handler512requests Web Server18 to perform SSL client certificate authentication onbrowser12. In one embodiment of the present invention performing client certificate authentication on ISAPI Web Servers,authentication event handler512 redirectsbrowser12 to a special case URL (i.e. cert_authn.dll) that is configured to accept certificates. In such an embodiment, this redirection occurs withinstep1348.

Instep1350,Web Server18, on behalf ofWeb Gate28, sends an SSL client certificate request along with trusted certificate authorities (CA's) and challenge data tobrowser12.Browser12 then displays a selection box with client certificates from trusted CA's, allowing a user ofbrowser12 to select a certificate (step1352).Browser12 then returns the selected certificate with challenge data signed by a private key to Web Server18 (step1356).Web Server18 then verifies that the challenge data was properly signed by the selected certificate (step1360) and passes a valid certificate to Web Gate28 (step1362), which passes the certificate to Access Server34 (step1363). Instep1364,authentication module540 ofAccess Server34 then decodes the certificate and maps the certificate subject to a valid distinguished name (further described inFIG. 36). Instep1366,authentication module540 returns the authentication result, authentication actions, and user attributes toWeb Gate28.

FIG. 36 provides a flow chart describing a method for authenticating using a valid certificate (step1364 ofFIG. 35). In one embodiment, the steps ofFIG. 36 are performed byauthentication module540. Inoptional step1390,authentication module540 decodes one or more fields of the certificate passed byWeb Gate28 instep1362 ofFIG. 35. In one embodiment, the user's e-mail address is decoded. Instep1392,authentication module540 searchesuser profile cache576 for a user identity profile entry having one or more attributes matching the decoded field(s). In one embodiment, the user attribute would appear inuser profile cache576 if it was previously used in a successful authentication. If a match is found (optional step1394), thenauthentication module540 proceeds to step1406. If no match is found, thenauthentication module540 proceeds to step1396.

In another embodiment, steps1390 and1392 ofFIG. 36 are not performed. In such an embodiment, the method ofFIG. 36 begins withstep1396 where it searches user identity profiles102 inDirectory Server36 for a user identity profile having one or more attributes matching the decoded field(s). If no matching user identity profile attribute is found in Directory Server36 (step1398), then the method proceeds to step1402 where it determines whether an entry for the current user is found inuser profile cache576. If so,authentication module540 proceeds to step1405. Otherwise,authentication module540 retrieves all profile attributes of the current user appearing inuser attribute list114 and caches them in user profile cache576 (step1404). Instep1405,authentication module540 returns an unsuccessful authentication result. If a matching user identity profile is found instep1398, the method proceeds to step1406.

Instep1406,authentication module540 accesses revokeduser list582 to determine whether the user identity profile having the matching user attribute appears on revokeduser list582. If so,authentication module540 proceeds to step1402. Otherwise,authentication module540 continues on to step1410 and determines whether an entry for the current user is found inuser profile cache576. If not,authentication module540 retrieves all profile attributes of the current user appearing inlist114 and caches them in user profile cache576 (step1416). If an entry was found, the method skips to step1422. Instep1422, the method returns a successful authentication result.

FIG. 37 provides a block diagram of anauthentication cookie1450 passed byWeb Gate28 tobrowser12 instep780 ofFIG. 22.Cookie1450 is encrypted with a symmetric cipher so that cookies from all instances ofWeb Gate28 in a given deployment of the present invention may be encrypted using the same key. This key (shared secret110) is stored onDirectory Server36 and distributed to each of theWeb Gates28 byAccess Server34. Shared secret110 can change as often as desired by an administrator. In one embodiment of the present invention,cookie1450 is encrypted using RC4 encryption with a 2048 bit key. As previously described, in one embodiment, previously valid keys are grandfathered such that both the current key and the immediately prior key will both work to de-cryptencrypted cookie1450. The present invention features a one-button key re-generation function. This function is easily scriptable.

In one embodiment, the information stored bycookie1450 includes theauthentication level1452 of the authentication scheme used to create the cookie, theuser ID1454 of the authenticated user, theIP address1456 of the authenticated user, and session starttime1458 identifying the time at whichcookie1450 was created. If the time elapsed since thesession start time1458 exceeds a maximum session time, the cookie will become invalid.Idle start time1460 is also stored, which identifies the time when the previous HTTP request for a protected resource was made in whichcookie1450 was passed. If the time elapsed since theidle start time1460 exceeds a maximum idle time, the cookie will become invalid. Both of these time limits force users to re-authenticate if they have left a session unattended for longer than the maximum session or idle times.Cookie1450 also stores asecured hash1462 ofinformation1452,1454,1456,1458, and1460. In one embodiment of the present invention,secured hash1462 is created using an MD5 hashing algorithm. Most Internet browsers cache a user's supplied authentication information during basic and certificate authentication challenge methods, and then transparently re-send the information upon receiving an authentication challenge from a Web Server. In one embodiment, an administrator can enable a form authentication challenge method requiring end users to re-authenticate upon expiration of the maximum session or maximum idle time limits.

FIG. 38 provides a flow chart describing a method for attempting to authorize a user (step756 ofFIG. 22). In one embodiment, the method ofFIG. 38 is performed byauthorization event handler516 andauthorization module542. Instep1490,authorization event handler516 ofWeb Gate28 passes authorization information toAccess Server34. In step1494,authorization module542 determines whether one or more authorization rules associated with the requested resource are found inauthorization rule cache572. If one or more rules are found,authorization module542 proceeds to step1496. Otherwise,authorization module542 retrieves any authorization rules associated with the requested resource fromDirectory Server36 instep1498. In one embodiment, authorization success and failure actions are retrieved with the authorization rules. After retrieving the authorization rules,authorization module542 proceeds to step1496 and reads the first authorization rule associated with the requested resource fromauthorization rule cache572. In one embodiment, multiple authorization rules are evaluated in an order determined by the priority set instep646 ofFIG. 17. In another embodiment, second level authorization rules are evaluated prior to first level authorization rules.Authorization module542 applies the authorization rule (step1500) to the authorization information previously passed instep1490.

If the authorization rule is satisfied instep1502,authorization module542 determines whether an entry for the user is found in user profile cache576 (step1504). If so,authorization module542 proceeds to step1508. If not,authorization module542 retrieves all profile attributes of the current user appearing in user attribute list114 (step1507), and communicates the authorization success actions and attributes to Web Gate28 (step1508).

If the authorization rule is not satisfied (step1502), thenauthorization module542 determines whether more authorization rules remain to be evaluated (step1509). If more rules remain, the next rule is read (step1496) and evaluated (step1500). If no more rules remain,authorization module542 determines whether an entry for the user is found in user profile cache576 (step1510). If so,authorization module542 proceeds to step1512. If not,authorization module542 retrieves all profile attributes of the current user appearing in user attribute list114 (step1511), and communicates the authorization success actions and attributes to Web Gate28 (step1512).

FIG. 39 details the steps performed when passing authorization information toAccess Server34 instep1490 ofFIG. 38. In one embodiment, the steps ofFIG. 39 are performed byauthorization event handler516. In one embodiment, authorization can be performed using POST data. In another embodiment, POST data is not used for authorization. If POST data is enabled to be used for authorization, then the method ofFIG. 39 begins withoptional step1530. Otherwise, the method begins atstep1534. If the resource request issued bybrowser12 instep750 ofFIG. 22 employs a POST request method and POST data is enabled to be used for authorization (step1530),authorization event handler516 passes the POST data andretainer505 to Access Server34 (step1536). If the resource request does not employ a POST request method or POST data is not enabled to be used for authorization (step1530), thenauthorization event handler516 passesretainer505, the request method, the user's distinguished name, the user's IP address, and the time of the request toAccess Server34 instep1534.

FIG. 40 illustrates the format of an HTTP request. As illustrated inFIG. 40, anHTTP request1550 comprisesrequest line1552, zero ormore headers1554,blank line1556, and body1558 (used only for POST requests). The HTTP protocol supports various types of requests. The GET request returns whatever information is identified by the request-URI portion ofrequest line1552. The HEAD request is similar to the GET request, but only a server's header information is returned. The actual contents of the specified document is not returned. This request is often used to test hypertext links for validity, accessibility, and recent modifications. The POST request is used for POSTing electronic mail, news, or sending forms that are filled in by an interactive user. A POST is the only type of request that sends a body. A valid content-linked header field is required in POST requests to specify the length ofbody1558. Post data can include zero or more data elements separated by “&” as depicted byline1562. Each data element is of the form variable name=value.

HTTP request1550 can contain a variable number of header fields1560. Ablank line1556 separatesheader fields1554 frombody1558. A header field comprises a field name, a string and the field value, as depicted inbox1560. In one embodiment, the field value is an LDAP attribute. Field names are case insensitive. Headers can be divided in three categories: those that apply to requests, those that apply to responses, and those that describebody1558. Certain headers apply to both requests and responses. Headers that describe the body can appear in a POST request or in any response.

FIG. 41 provides a flow chart describing a method for loading an authorization rule from the Directory Server (step1498 ofFIG. 38). In one embodiment, the steps ofFIG. 41 are performed byauthorization module542. Instep1580,Access Server34 loads the default authorization rule for the policy domain mapped instep836 ofFIG. 23 fromDirectory Server36 intoauthorization rule cache572.Access Server34 then selects a first rule in array565 (step1582) and determines whether the selected rule is a second level (specific) rule of a policy associated with the requested resource (step1584), by calling the method ofFIG. 26 previously described above. If yes, thenAccess Server34 proceeds to step1592. Otherwise,Access Server34 determines whether all rules inarray565 have been evaluated (step1586). If not, thenAccess Server34 selects the next rule in array565 (step1588), and returns to step1584. Once all rules inarray565 have been considered (step1586),Access Server34 proceeds to step1594 and loops back tostep1586. If a second level authorization rule (a rule defined in a policy) was found for the requested resource instep1584, thenauthorization module540 caches the second level authorization rule in authorization rule cache570 (step1592) and the method is done (step1594). If a second level policy authorization rule was not found, then the default authorization rule previously loaded instep1580 remains inauthorization rule cache572, and the method is done (step1594).

FIG. 42 provides a flow chart describing the method of applying an authorization rule (step1500 ofFIG. 38). In one embodiment, the steps ofFIG. 42 are performed byauthorization module542. In one embodiment, authorization can be performed using POST data. In another embodiment, POST data is not used for authorization. If POST data is to be used for authorization, then the method ofFIG. 42 begins withoptional step1620. Otherwise, the method begins atstep1624. Inoptional step1620, if the resource request employs a POST request method, thenauthorization module542 proceeds tooptional step1622 where it applies the authorization rule to the POST data passed instep1536 ofFIG. 39. If the resource request does not employ a POST request method (or if POST data is not enabled to be used for authorization), thenauthorization module542 proceeds to step1624. If specific users are defined (by distinguished name) in the authorization rule,authorization module542 evaluates whether the distinguished name of the authenticated user matches the user's distinguished name called for by the authorization rule (step1626). If specific groups are defined in the authorization rule (step1628),authorization module542 evaluates whether the group name of the authenticated user matches the group name called for by the authorization rule (step1630). In one embodiment, the user's group membership is cached inuser policy cache578. If specific roles are defined in the authorization rule (step1632),authorization module542 evaluates whether the role of the authenticated user matches the role called for by the authorization rule (step1634). If specific LDAP rules are defined in the authorization rule (step1640),authorization module542 evaluates whether the LDAP rule matches the LDAP rule called for by the authorization rule (step1642). In one embodiment, the result of the LDAP rule evaluation instep1642 is cached inuser policy cache578. If specific user IP addresses are defined in the authorization rule (step1644),authorization module542 evaluates whether the IP address of the authenticated user matches the IP address called for by the authorization rule (step1646). If a successful match is found at any point (steps1627,1631,1635,1643, and1647), the authorization is successful (step1650). In one embodiment, successful matches of groups and LDAP rules are stored inuser policy cache578 insteps1631 and1643. In another embodiment, multiple matches must be found before an authorization success is found. If no matches are found, authorization is unsuccessful (step1652).

FIG. 43 provides a flow chart detailing the steps performed when applying an authorization rule to POST data inoptional step1622 ofFIG. 42. In one embodiment, the steps ofFIG. 43 are performed byauthorization module542. Instep1670,Access Server34 selects the first item of POST data received inoptional step1536 ofFIG. 39. If the selected POST data is of a type that is called for by the authorization rule being evaluated (step1672), thenAccess Server34 evaluates whether the selected POST data matches data required by the authorization rule (step1674) and determines whether a successful match has been found (step1675). For example, if an authorization rule calls for a user's distinguished name, then a distinguished name contained in the POST data will be compared with the distinguished name expected by the authorization rule. If the selected POST data equals the expected distinguished name, then a successful match will be found for the example above. If a match is found (step1675), Access Server proceeds to step1682 where it returns a successful authorization. Otherwise, Access Server proceeds to step1676. If, instep1672, it is determined that the type of POST data was not called for, thenAccess Server34 proceeds directly to step1676.

Instep1676,Access Server34 determines whether all of the POST data received instep1536 has been considered bystep1672. If additional Post data remains to be considered (step1676),Access Server34 selects the next available item of POST data (step1678) and loops back tostep1672. If no POST data remains to be considered and a match still has not been found (step1676),access Server34 proceeds to step1684 and returns an authorization failure.

FIG. 44 is a flow chart describing the process of performing authentication success actions (step776 ofFIG. 22). Instep1700,Web Gate28 determines whether there is a redirect URL. As described above, when setting up a policy domain or a policy, an administrator can set up a redirect URL for authentication success/failure events as well as authorization success/failure events. An administrator can also set up various variables to add to an HTTP request based on these events. If, instep1700, it is determined that a redirect URL exists for an authentication success event, then instep1702 it is determined whether there are any HTTP variables to add to the HTTP request. If it was determined instep1700 that there was not a redirect URL, then instep1704, it is determined whether there are any HTTP variables to add to the request. If, instep1704, it is determined that there are HTTP variables to add to the request in response to the authentication success event, then instep1706, the header variables are added. If, instep1704, it is determined that there are no HTTP variables to add to the request, then no action is performed (step1708). If, instep1702, it is determined that there are no HTTP variables to add to the request, then instep1710 the redirect URL is added to the HTTP request andbrowser12 is redirected using the HTTP request in step1712. If instep1702 it is determined that there are HTTP variables to add to the request, then instep1714 the redirect URL is added to the HTTP request and, instep1716, the header variables are added to the HTTP request. Instep1718, the browser is redirected using the newly constructed HTTP request.

When a Web Server receives an HTTP request, the Web Server stores the contents of the HTTP request in a data structure on the Web Server. A Web Gate can edit that data structure using an API for the Web Server. In one embodiment, the downstream application that will be using the header variables is on, accessed using or associated with the same Web Server storing the HTTP request. In that case, the header variable are added (e.g. in step1706) by storing the header variables in the data structure on the Web Server. Subsequently, the Web Server will provide the header variables to the downstream application.

FIG. 45 is a flow chart describing the steps of performing authentication and authorization failure actions (seesteps766 and798 ofFIG. 22, respectively). Instep1738, Web Gate determines whether there is a redirect URL for the authorization failure or authentication failure, whichever event is being considered. If there is no redirect URL, then instep1740, it is determined whether there are any HTTP variables for the authorization failure or authentication failure. If there are no HTTP variables, then instep1742, a default failure URL is added to a new HTTP request. The default failure URL is a URL that points to a web page that notifies a user that access is denied to the resource. In other embodiments, other pages can be used as default failure pages. Instep1744, the user'sbrowser12 is redirected using the HTTP request that includes the default failure URL. If, instep1740, it is determined that there are HTTP variables to add to the HTTP request for the particular authentication failure or authorization failure event, then instep1746, those variables are added as header variables to the HTTP request. Instep1748, the default failure URL is added to the HTTP request. The user's browser is redirected using the HTTP request instep1750.

If, instep1738, it is determined that there is a redirect URL for the particular authentication failure or authorization failure event, then it is determined whether there are any HTTP variables for this particular action instep1752. If not, the redirect URL is added to the HTTP request instep1754 and the browser is redirected using the HTTP request instep1756. If, instep1752 it is determined that there are HTTP variables to add to the request, then instep1758, the redirect URL is added to the HTTP request. Instep1760, the header variables are added to the HTTP request. The user's browser is then redirected using the HTTP request instep1762.

FIG. 46 is a flow chart describing the process of performing authorization success actions (step794 ofFIG. 22). Instep1782, it is determined whether there is a redirect URL for the authorization success action. If there is no redirect URL, then instep1784 it is determined whether there are any HTTP header variables to add. If so, the header variables are added instep1786. For example, the header variables can be added to the data structure for the request that is stored on the Web Server. Subsequently, the Web Server will provide the header variables to the downstream application(s). If, instep1784 it is determined that there are no HTTP variables to add to the request, then no action is taken.

If it is determined instep1782 that there is a redirect URL, then instep1796, it is determined whether there are any HTTP variables to add to the request. If there are not any HTTP variables to add to the request, then the redirect URL is added to the HTTP request instep1798. Instep1800, the user's browser is redirected using the HTTP request with the redirect URL. If it is determined that there are HTTP variables to add to the request instep1796, then the redirect URL is added to the HTTP request instep1802. Instep1804, the HTTP variables are added as header variables to the HTTP request. Instep1806, the user's browser is redirected using the HTTP request.

FIG. 47 is a flow chart describing the process of how a downstream application or other resource uses header variables provided by the system ofFIG. 1. Upon authorization success, authorization failure, authentication success or authentication failure, various data can be added as header variables. Instep1830, the resource receives the request. In one embodiment, the resource receives request information from a Web Server. In another embodiment, the resource receives a redirected HTTP request. Instep1832, the resource determines whether there are any header variables to consider. If there are no header variables, then instep1834, the resource responds to the request. Responding to the request can include providing a web page, access to a software process or anything else appropriate for the particular resource. If, instep1832, it is determined that there are header variables, then instep1836 the resource searches for a particular variable name. In order to use header variables, the resource must be preprogrammed to know what header variables to expect and how to use them. Thus, the resource will have a list of variable names it seeks. Instep1836, the resource looks for one of the listed variable names in the set of header variables. Once found, the resource reads the string for the found variable instep1838. Instep1840, the resource reads the variable value (e.g. LDAP attribute). When HTTP variables are set up in actions, a variable name, a string for the variable and data for the variable are provided. Instep1842, it is determined whether any variables to operate on. If so, the method ofFIG. 47 loops back tostep1836. If there are no more variables to operate, then instep1844 the resource acts on the variables by taking the information from the variables and using them in the manner appropriate for the particular resource. Instep1846, the resource responds to the request as appropriate for that particular resource.

One example for using the process ofFIG. 47 is to provide an automated login for a downstream application. For example, upon authentication or authorization successes, login information for a particular user and a particular application can be added to the HTTP request as header variables. The downstream application can be programmed to search the header variables for the login and password information and automatically attempt to authorize the user. In another example, user identity profile information is passed to a downstream application without the user accessing the application directly. This user identity profile information would be stored in header variables and provided to the resource being accessed. Thus, the resource being accessed can be fully customized for the user accessing the resource. For example, the resource can address the user by name and title and access preferences for that user. There are an unlimited number of resources that can be accessed by a user and, thus, unlimited ways to use the information contained in header variables.

As discussed above, the Access System monitors and logs various events, including authorization and authentication failure/success events. In other embodiments, other events can be monitored and logged. When an event being monitored occurs, an entry is added to an appropriate audit log. For purposes of the present invention, the terms log and log entry are used broadly because no special format is necessary for the present invention. A log can include any reasonable and organized system for storing information.

FIG. 48 provides a flow chart detailing the steps performed for logging authentication and/or authorization events (seesteps764,774,792, and796 ofFIG. 22). In one embodiment, the steps ofFIG. 48 are performed byWeb Gate28 andauditing module544. The log process is configurable because the audit rule associated with a requested resource can specify any combination of information to be logged in audit logs546 in response to a detected type of event selected to be audited. For example, in one embodiment of the present invention, an audit rule associated with a requested resource can specify that all or a subset of the attributes of the identity profile for the user making the access request should be logged in one of audit logs546 for the specific event. In another embodiment, the time of the authentication and an identification authorization event is logged in one or more of audit logs546. An identification of the resource, the rule evaluated, the type of event, the IP (or other) address of the requesting machine, user ID, an identification of the operation being performed (e.g. GET, etc.) an identification of the Web Gate and/or access server that processed the request, user password and any other suitable information can also be logged.

Storing identity profile information, as well as the other information listed above, allows the system to provide data for load balancing, various business reports, and reports about how the system is being used. For example, knowledge of which resources are being accessed, when resources are being used and who is accessing the resources can allow an administrator to perform load balancing on the system. Reports identifying which content is being accessed the most can help a business allocate resources. Information about how various entities use the system can provide behavioral data to the host. Various other business reports and monitoring can also be useful.

The process ofFIG. 48 is commenced by the detection of an access system event. In the embodiment ofFIG. 22, both the attempt to authenticate (steps760 &762) and the attempt to authorize (steps756 &790) can be thought of as the detection of an access system event. Thus, the access system events of the embodiment ofFIG. 22 includes authorization success, authorization failure, authentication success and authentication failure. Other access system events can also be monitored for use with the present invention. In other embodiment, detecting an access system event can utilize different means than explicitly described inFIG. 22, as long as the system has a means for knowing that an event occurred. Alternatively, an access system event can be detected using specific monitors or sensors.

Instep1870 ofFIG. 48,Web Gate28 readsaudit mask503 fromresource cache502 in response to an authentication or authorization result. Ifaudit mask503 indicates that the event is not audited (step1872), then the method is done (step1874). If the event is to be audited (step1872), thenWeb Gate28 passesretainer505 toauditing module544, thus identifying the applicable policy domain and/or policy for auditing. Instep1878,auditing module544 reads the audit rule associated with the requested resource fromaudit rule cache574. In one embodiment, the audit rule read instep1878 will be a first level (default) audit rule, a second level (specific) audit rule, or a master audit rule applicable to all resources when neither a first or second level audit rule is found. Instep1880,auditing module544 logs information specified by the found audit rule into one or more audit logs546. In one embodiment of the present invention,Access Server34 informsauditing module544 of authentication and authorization events to be logged, thus, allowingauditing module544 to performsteps1878 and1880 directly in response to an authentication or authorization result, rather than waiting to be prompted byWeb Gate28.

FIG. 49 provides a flow chart of a method for loading audit rules (seestep846 ofFIG. 23). Instep1900,Access Server34 loads the default audit rule for the policy domain mapped instep836 ofFIG. 23 fromDirectory Server36 intoaudit rule cache574.Access Server34 then selects a rule in array565 (step1902) and determines whether the selected rule is a specific audit rule for a policy associated with the requested resource, by using the method ofFIG. 26 previously described above (step1904). If the resource is part of the policy, thenAccess Server34 proceeds to step1912. Otherwise,Access Server34 determines whether all rules inarray565 have been considered (step1906). If not, thenAccess Server34 selects the next rule in array565 (step1908), and returns to step1904. Once all rules inarray565 have been considered (step1906),Access Server34 proceeds to step1912. If a second level authentication rule was found for the requested resource instep1904, thenauthentication module540 caches the second level audit rule in audit rule cache574 (step1912) and proceeds to step1914. Instep1914,Access Server34 preparesaudit mask503, identifying the authentication and authorization events to be logged (audited) byauditing module544 in accordance with the second level audit rule. If a second level audit rule was not found (step1910), then the first level audit rule previously loaded in step1484 remains inaudit rule cache574, andAccess Server34 preparesaudit mask503 using the first level audit rule. Thus, when the method ofFIG. 49 is done, only one audit rule for the requested resource will remain inaudit rule cache574.

FIG. 50 depicts one embodiment of components used to detect attempted intrusions. The attempted intrusions can be inadvertent or malicious. The goal is to detect attempted intrusions of the access system, which includes the protected resources.FIG. 50 shows audit logs546 which can be one or more logs for logging various events. For example, there could be one log for logging authentication failure events, one log for logging authorization failure events, etc. Alternatively, there could be one log for logging multiple types of events. In one embodiment, for each log, or each type of event, anaudit log sensor548 monitors the type of event occurring. For example, in one embodiment there is an authentication failure sensor and an authorization failure sensor. If other events are monitored, there can be a sensor for each of the other events. When an authorization failure event occurs and a log entry is added to audit log546 for the event, the authorization failure sensor will make a copy of the log entry and send it todatabase server1934. Each of theaudit log sensors548 will send copies of log entries they detect todatabase server1934. In one embodiment,database server1934 includes an SQL database for storing all of the received log entries. Periodically,database server1934 sends a set of log entries tosecurity server1936. In one embodiment,database server1934 is stored within the local system ofFIG. 1 andsecurity server1936 is located offsite. In one embodiment,database server1934 is not provided and the various log sensors send their log entries directly tosecurity server1936. As discussed above, the audit log entries are fully configurable. The log entries sent by the sensors can be exact duplicates of the log entries in the audit logs or they can be reformatted versions or versions that store only a subset of the original information.

FIG. 51 provides a flow chart describing the operation of the components depicted inFIG. 50. Instep1950, an event is logged. The system is fully configurable to allow the sensors to monitor all or a subset of events being logged. The events being monitored bysensors548 are denoted as registered events. For example, in one embodiment, the system logs all authentication failure, authentication success, authorization failure and authorization success events, whilesensors548 monitor only authentication failure and authorization failure events. Instep1952, it is determined whether the logged event is a registered event. If not, the method ofFIG. 51 is done (step1964). If it is a registered event, then instep1954 the sensor accesses instructions for the event type. For each event type being monitored by a sensor, the system is configurable to perform any action specified by the administrator. For example, in one embodiment, an action will be to send the log entry to a database server. In another embodiment the action will also include adding information to the log entry such as information from a user identity profile, login information, time, date, etc. Instep1956,sensor548 accesses the log entry and performs instructions for the event type to the log entry instep1958. As discussed above, one exemplar instruction requests that the sensor sends the log entry to eitherdatabase server1934 orsecurity server1936. If the sensor is instructed to send the log entry todatabase server1934, thendatabase server1934 receives and stores the log entry instep1960. Instep1962,database server1934 will periodically send all or a subset of the log entries tosecurity server1936.

FIG. 52 is a flow chart describing the operation ofsecurity server1936. Instep1980,security server1936 receives a log entry.Step1980 could include receiving a particular log entry directly from asensor548 or receiving a set of log entries fromdatabase server1934. Instep1982, the log entries are stored atsecurity server1936. In step1984, a rules engine is run on a set of stored log entries. The log entries used in step1984 could include the newest set of log entries and, optionally, previous log entries going back historically as needed by the rules engine. The rules engine can look for any particular pattern of events. In one embodiment, the steps ofFIGS. 51 and 52 are used to detect one or more attempts of intrusion of the system. For intrusion detection, the rules engine looks for patterns over time of an entity attempting to wrongfully access resources in the system ofFIG. 1. In such a case, various patterns can be detected. For example, the rules engine may look for three authorization failures for the same entity or three authentication failures with the same login name or password.Security server1936 correlates events over time to identify persons or actions that constitute security breaches or attempted security breaches.

FIG. 53 provides a flow chart detailing the steps performed byAccess Manager40 for flushing and synchronizing caches ofWeb Gate28 andAccess Server34 in accordance with the present invention. If a change is made (by an administrator, user, or otherwise) to a policy domain or a policy stored onDirectory Server36, any affected first level or second level rules cached in the respective caches ofWeb Gate28 andAccess Server34 will become stale data. Similarly, if a change is made to user identity profiles102 or revokeduser list108 onDirectory Server36, previously cached versions of the changed data will become stale. Accordingly, the respective caches ofWeb Gate28 andAccess Server34 must be flushed to preventWeb Gate28,Access Server34,User Manager38,Access Manager40, orSystem Console42 from using the stale data.

Instep2010,Access Manager40 detects a change to data stored on Directory Server26. In step2012,Access Manager40 reads the previous Global Sequence Number (GSN)112 stored ondirectory server36. Instep2014,Access Manager40 assigns a current GSN to the change detected instep2010. In one embodiment of the present invention, the current GSN is the next sequential number after theprevious GSN112. Instep2016,Access Manager40 stores the current GSN onDirectory Server36, replacing theprevious GSN112. Instep2018,Access Manager40 generates a synchronization (sync) record to facilitate cache flushing. Instep2020,Access Manager40 passes a cache flush request and the newly generated synchronization record to eachAccess Server34.

FIG. 54 provides a block diagram of a synchronization record in accordance with the present invention.Synchronization record2040 includes thecurrent GSN2042 assigned to the change detectedinstep2010 ofFIG. 53.Synchronization record2040 also includesIDs2044, which identify the data affected by the detected change, such as the policy domain, first level rules, policy, second level rules, etc.Synchronization record2040 also indicates what type ofchange2046 was detected (e.g. whether it be an addition, modification, or deletion).Time2048 is also stored, indicating the time at which the change was detected instep2010.

FIG. 55 provides a flow chart detailing steps performed byAccess Server34 in response to receiving asynchronization record2040 fromAccess Manager40. Instep2060,Access Server34 receives a synchronization record and flush request.Access Server34 updates its stored GSN by replacing the stored GSN with the synchronization record GSN (step2066). Instep2068,Access Server34 then flushes the cached information identified byelements2044,2046, and2048 ofsynchronization record2040.Access Server34 then storessynchronization record2040 on Access Server34 (step2070).

FIG. 56 provides a flow chart detailing the steps performed byWeb Gate28 for flushing and synchronizing its caches in accordance with the present invention. Instep2100,Web Gate28 issues a request toAccess Server34. Upon serving the request,Access Server34 returns the value of its stored GSN554 (step2102) toWeb Gate28.Web Gate28 compares theGSN544 returned instep2102 withGSN510 stored by Web Gate28 (step2104).Web Gate28 requests allsynchronization records550 stored onAccess Server34 having GSN's greater thanGSN510 stored onWeb Gate28 or appearing in sync record table518.Web Gate28 flushes data having ID's2044 (specified insynchronization record2040 received from Access Server34) from its caches (step2110). Instep2112,Web Gate28 updates itsGSN510 to equalGSN554 stored on Access Server34 (step2112). In one embodiment,Web Gate28 maintains a sync record table518 that identifies all sync records that have not yet been processed byWeb Gate28. For example, a sync record will remain unprocessed if its transmission toWeb Gate28 fromAccess Server34 is delayed. Instep2114,Web Gate28 updates table518 by removing entries for synchronization records processed instep2110.

FIG. 57 provides a flow chart describing the process of testing access to resources using the system ofFIG. 1.Access Manager40 includes an Access Tester process. The Access Tester allows an administrator, or any other authorized user, to determine who or what entities may access a resource under the current access criteria, whether a particular individual or set of individuals have access to a resource under certain conditions and whether the first level and second level rules, policies or policy domains associated with a resource operate as intended. In one embodiment, an administrator accesses the Access Tester using a GUI onAccess Server40. In one implementation, the system tests access to a resource without actually authenticating or authorizing access to the resource. Thus, the system is testing a successfully authenticated user's access to the resource. Instep2260, the administrator enters a URL (or other identities) for a resource to be tested. In one alternative, multiple URLs can be entered so that the test is performed for multiple resources. In another alternative, the administrator can select to test for all possible resources so that the Access Tester will determine which resources are available to the users identified for the test. Instep2262, the administrator selects the HTTP request methods that the administrator wants to test. If no HTTP request methods are entered, the system will test all HTTP request methods. Protocols other than HTTP can also be used. In accordance with the present invention other protocols besides HTTP can be used. If the administrator wants to know if a particular computer can access the resource, the administrator can enter the computer's IP address instep2264. If no IP address is entered instep2264, then the test will not be limited to any particular computer.

Instep2266 ofFIG. 57, the administrator can enter date and time restrictions. In one embodiment, the administrator can indicate that any time and day can be used so that the timing and date restrictions do not restrict the test. Alternatively, the administrator can enter a specific time and/or date for testing. The date and time information can identify a specific date and time or ranges of dates and times. As discussed above, policies can be configured to allow certain access by users at certain times on certain dates. Instep2268, the administrator selects which users to test access for. The administrator can request testing for all possible users or subsets thereof. If the user desires to test for selected users, the administrator can identify individual users. Alternatively, the administrator can use filters, rules, or roles to identify subsets of users. Testing for all users allows an administrator to see which users have access to a particular resource. Steps2260-2268 are information gathering steps. In one embodiment, they are performed by having an administrator enter information intoAccess Manager40. In other embodiments, this information is provided to the Access Tester via a file, a software process, information exchange protocols such as XML, etc.

Steps2270-2282 are performed by the Access Tester in order to test access to the resource in question. Instep2270, the policy domain is identified for the URL entered instep2260 using the processes described above. Instep2272, the system searches for a policy associated with the URL in accordance with the processes described above. If more than one URL was entered instep2260, than more than one policy or more than one policy domain may be identified. Instep2274, the Access Tester chooses one user from the set of users selected instep2268 and the identity profile for the chosen user is accessed (optional). Instep2276, authorization is checked for that user.Step2276 is performed in a similar manner as described above with respect to step756 ofFIG. 22, except that after it is determined whether the user is authorized, no log entry is created and the user is not actually authorized. If a policy was found instep2272, then the authorization rules for the policy are used instep2276. If no policy was found instep2272, then the default authorization rules for the policy domain are used instep2276. The information fromsteps2262,2264, and2266, and the user's identity profile (optional) are used to determine whether the one or more applicable authorization rules are satisfied. If they are satisfied, then it is determined that the particular user is authorized to access the resource under the conditions entered in steps2260-2268. Instep2278, it is determined whether there are more users from the set of users identified instep2268. If there are more users, another user is chosen instep2280 and the identity profile for that user is accessed. Afterstep2280, the method loops back tostep2276. If there are no more users to consider (step2278), then the results are displayed instep2282.

In one embodiment, the method of displaying and/or the contents of the results instep2282 are configurable. For example, the administrator can select whether the matching policy domain, policy and/or matching rules should be displayed. One embodiment ofstep2282 includes displaying a table (not shown) in a GUI listing all users. For each user, the table displays the URL in question, the request method tested, the policy domain, the policy, the authorization rules, date and time information, IP address information, and an indication of whether the user is authorized to access the resource. In one embodiment, only a configurable subset of this information is displayed. It is possible that a user may have multiple entries in the result table, for example, when the date and timing information results in access grants at some times and access denials at other times. The results table allows an administrator to determine whether the policies created for a particular resource or set of resources are appropriate. In addition, the administrator can use the Access Tester to determine whether specific users have appropriate access rights. The Access Tester quickly allows an administrator to verify authorization rules created for particular policy domains and/or policies. In alternative embodiments ofstep2282, the results are reported in a file, in XML, on a printer, using voice, etc. In one embodiment, the results reported could include an indication that access is granted, access is denied, there is redirection to a different resource or it is undetermined (e.g. a custom authorization plug-in cannot be loaded).

Various alternatives to the above described embodiments are also within the spirit of the present invention. For example, in one embodiment, the system ofFIG. 1 can include a separate Identity Server which will perform many (or all) of the tasks associated with managing the Identity System. In one embodiment, such an Identity Server would include a Publisher, a User Manager, a Group Manager and an Organization Manager.

The Publisher is an application that lets a user publish LDAP-based directory information about users, reporting structures, departments, offices and other resources stored in enterprise directories. The User Manager is responsible for password management, certificate management, and delegation administration of user identity profiles. For example, the User Manager can create and delete users, roles, rights and credentials.

The Group Manager manages groups. When a company is setting up an Extranet/Internet or ASP services, the company will need to provide only certain groups of people with access to the application/resources that they are making available. The entities in a group can be determined by specifically adding a person or group, or by identifying a specific attribute or value in user identity profiles. Companies can use these methods to use roles/rights management, or to grant/deny access to the applications that they will need. The Group Manager will manage this group functionality, including supporting multiple types of groups, managing group ownership, group membership, group administration, etc.

The Organization Manager is used to manage organizations. When companies are dealing with outside partners, suppliers, or other organizations (internal or external), the companies need a way to manage those organizations including creating the entity, modifying it or deleting it. There are three fundamental data structures that are used to organize directory data in the directory server: (1) User objects for the actual information about the user; (2) group objects for collections of users; and (3) organization objects, which are containers for user, group and other organization objects. Organizations can be created and removed from the system. Additionally, organizations can be managed by a manager, self managed, or managed in a delegated fashion.

The system can also be implemented with multiple Identity Servers. Each Identity Server will have its own cache or set of caches. In one scenario, if one of the Identity Servers change it cache, it will communicate to the others to flush their cache.

Another alternative embodiment will include Public Key Infrastructure (PKI) integration. By deploying PKI, customers can issue certificates to various users. PKI is a key technology for enabling e-business and e-commerce by making transactions and interactions that are more secure between companies and across the Internet.

Another embodiment includes Pre and Post Processing (PPP). PPP server-side hooks allow customers to extend the business logic of the Identity Systems by communicating with other systems before and after an event happens in the Identity System (or Access System). Customers can hook shared libraries, Pearl scripts or any other applications that can be called from specific well defined points in the processing logic of the application. As an example, during the user creation work flow process, a customer might want to call out to another system that creates an account for a user and provides information that should be stored in the user identity profile. As part of the call out, information can be returned to the Identity System. PPP can be used to perform data validation and password management. PPP could also be used as a notification engine (e.g. when a given action occurs, send an email).

In one embodiment, the system is implemented as a three-tier architecture. This allows the Identity System to be placed behind a firewall, while the only component exposed outside the firewall (or in the DMZ) is a Web Server with a Web Pass plug-in. The Web Pass plug-in is a plug-in for the Web Server that communicates with the Identity Server. The Web Pass Plug-in is analogous to the Web Gate for the access system. This allows customers to run the system with enhanced security and provides another point to do fail over, load balance and utilize redundant servers.

In another embodiment, the system ofFIG. 1 can accept input in XML format and provide output in XML format. Additionally, the system will make use of XML remote procedure calls (RPC).

In an alternative implementation, the system could attempt to validate data on input. If a user or application enters data into the system that is outside predefined constraints, the data will be rejected.

In another embodiment, Access System authentication policies and schemes can be used by third party applications through an API. For example, the API allows third party developers to create clients to perform authentication while running on application servers. Authenticated user sessions can be shared among application components, allowing creation of session tokens compatible with Access System cookies and re-creation of user sessions from session tokens imported from Web Gates or other components. In one embodiment, Java servlets, Enterprise Java Beans (EJB's), and standalone Java, C++, and C programs are supported.

In one variation, Access System authorization rules and actions can be created by third party developers through an API. In one embodiment, these custom authorization rules and actions are programmed in C code. In another embodiment, custom authorization rules and actions can reside in an Access System with pre-existing authorization rules and actions.

In another embodiment, “affiliate” Web Gates are installed on remote Web Servers to provide single sign-on authentication across multiple organizations. The affiliate Web Gates can access Web Gates of the Access System, but cannot directly communicate withAccess Server34. For example, a first company may maintain a web site protected by an Access System in accordance with the present invention. If the first company agrees to allow customers of a second company to access a subset of resources on the first company's web site, an affiliate Web Gate will be installed on the second company's web server. When a customer of the second company requests resources from this subset, the affiliate Web Gate will request a Web Gate of the Access System to authenticate the customer. The Access System Web Gate will return a successful or unsuccessful authentication result to the affiliate Web Gate.

FIG. 4, above, shows a hierarchical directory structure. Other data structures can also be used. One example of a suitable alternative is a flat data structure that does not include a hierarchy. Another suitable example includes a fat tree, which is a hierarchy that has few levels and each level is wide (a lot of nodes). One additional feature that can be used with various data structures is the implementation of a variable search base. In some embodiments, a user can access the entire hierarchy, subject to access rules and localized access filters. In other embodiments, users will be limited to only accessing portions of the hierarchy. For example, the system can be set up so that users underneath a particular node in the hierarchy can only access other nodes below that particular node. This restriction on access is done before applying any access criteria and localized access filters, and can be thought of as restricting the search base. In effect, the top root of the hierarchy can then vary on aper user or group basis.

Another alternative embodiment for the Identity System is allow the flow of managing user identity profiles to be configurable so that they can match the procedures of the company or entity.

Policy domain information and policy information can be stored with a resource, with a resource's information in the directory server or in a location on the directory server (or elsewhere)for storing sets of policy domain information and policy information. Additionally, the above described system can work with one directory server or multiple directory servers.

The foregoing detailed description of the invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen in order to best explain the principles of the invention and its practical application to thereby enable others skilled in the art to best utilize the invention in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the claims appended hereto.

Claims (37)

I claim:

1. A method for testing access to a resource available on a network, comprising the steps of:

receiving access information;

testing whether access to said resource is authorized based on said access information without granting authorization to said resource, said testing includes accessing an authorization rule for said resource and accessing an identity profile for a first user to determine whether at least a portion of said authorization rule is satisfied based on information in said identity profile, said authorization rule is not part of said identity profile; and

reporting whether access to said resource is authorized based on said step of testing.

2. A method according toclaim 1, wherein:

said step of receiving access information includes receiving said access information from a user interface.

3. A method according toclaim 1, wherein:

said access information is capable of including an identification of said resource, identification information for one or more entities, one or more request methods, an address of a device, date information and time information.

4. A method according toclaim 1, wherein:

said access information includes an identification of one or more entities;

said identification of one or more entities includes a user name for said first user; and

said step of testing includes determining whether said first user can access said resource.

5. A method according toclaim 1, wherein:

said access information includes an identification of one or more entities;

said identification of one or more entities includes a user role; and

said step of testing includes determining whether a set of one or more entities satisfying said role can access said resource.

6. A method according toclaim 1, wherein:

said access information includes timing information.

7. A method according toclaim 6, wherein:

said timing information includes a time range; and

said step of testing includes determining whether a set of entities can access said resource within said time range.

8. A method according toclaim 6, wherein:

said timing information includes a date range; and

said step of testing includes determining whether a set of entities can access said resource within said date range.

9. A method according toclaim 1, wherein:

said access information includes an address of a device; and

said step of testing includes determining whether an entity using said device can access said resource.

10. A method according toclaim 1, wherein:

said access information includes an access request method; and

said step of testing includes determining whether an entity can access said resource using said access request method.

11. A method according toclaim 1, wherein:

said access information includes a URL identifying said resource.

12. A method according toclaim 1, wherein:

said access information includes an identification of a set of entities; and

said step of testing includes the steps of:

(a) selecting an entity,

(b) checking authorization for said entity, and

(c) repeating steps (a) and (b) for each remaining entity in said set of entities.

13. A method according toclaim 1, wherein:

said access information includes an identification of said resource and does not include an identification of any entities; and

said step of testing determines which entities can access said resource.

14. A method according toclaim 1, wherein:

said access information includes an identification of an entity and does not include an identification of any resources; and

said step of testing includes determining which resources can be accessed by said entity.

15. A method according toclaim 1, wherein:

said step of testing includes determining whether all of said authorization rule is satisfied.

16. A method according toclaim 15, wherein:

said access information includes information for identifying a set of one or more entities;

said authorization rule includes role criteria; and

said step of determining whether all of said authorization rule is satisfied includes evaluating whether said set of one or more entities meet said role criteria.

17. A method according toclaim 15, wherein:

said access information includes information for identifying a set of one or more entities;

said authorization rule includes rule criteria; and

said step of determining whether all of said authorization rule is satisfied includes evaluating whether said set of one or more entities meet said rule criteria.

18. A method according toclaim 1, wherein:

said step of reporting is user configurable so that a user can provide an indication of whether to display one or more authorization rules.

19. A method according toclaim 1, wherein:

said step of reporting includes displaying first information indicating that said first user can access said resource at a first time and second information indicating that said first user cannot access said resource at a second time.

20. A method according toclaim 1, wherein sad step of testing includes the steps of:

searching for a specific authorization rule;

determining authorization using said specific rule if said specific rule is found; and

determining authorization using a default rule if said specific rule is not found.

21. A method according toclaim 1, wherein said step of testing includes the steps of:

identifying a policy domain;

searching for a policy;

determining authorization using a default rule for said policy domain if no policy is found; and

determining authorization using a specific rule for said policy if said policy is found.

22. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method, comprising the steps of:

receiving access information; and

testing whether access to a resource is authorized based on said access information, said testing includes:

identifying a policy domain to which said resource belongs, said policy domain includes a set of one or more policies,

determining whether said resource is associated with a policy in said set of one or more policies,

if said resource is not associated with a policy in said set, determining whether access to said resource is authorized using an authorization rule associated with said policy domain but not a policy in said set of one or more policies, and

if said resource is associated with a policy in said set, determining whether access to said resource is authorized using an authorization rule associated with said policy with which said resource is associated.

23. One or more processor readable storage devices according toclaim 22, wherein said processor readable code includes:

a user interface console;

an access tester; and

an authorization module.

24. One or more processor readable storage devices according toclaim 22, wherein:

said access information is capable of including an identification of said resource, identification information for one or more entities, one or more request methods, an address of a device, date information and time information.

25. One or more processor readable storage devices according toclaim 22, wherein:

said access information includes an identification of one or more entities;

said identification of one or more entities includes a user role; and

said step of testing includes determining whether a set of one or more entities satisfying said role can access said resource.

26. One or more processor readable storage devices according toclaim 22, wherein:

said access information includes an identification of one or more entities;

said identification of one or more entities includes a rule; and

said step of testing includes determining whether a set of one or more entities satisfying said rule can access said resource.

27. One or more processor readable storage devices according toclaim 22, wherein:

said access information includes timing information;

said timing information includes a time range; and

said step of testing includes determining whether a set of entities can access said resource within said time range.

28. One or more processor readable storage devices according toclaim 22, wherein:

said access information includes an access request method; and

said step of testing includes determining whether an entity can access said resource using said access request method.

29. One or more processor readable storage devices according toclaim 22, wherein:

said access information includes information for identifying a first user; and

said step of testing includes the steps of:

accessing an identity profile for said first user, and

comparing information in said identity profile to authorization criteria for said resource to determine whether said first user is authorized to access said resource.

30. One or more processor readable storage devices according toclaim 22, wherein:

said step of testing includes determining whether an authorization rule is satisfied;

said access information includes information for identifying a set of one or more entities;

said authorization rule includes rule criteria; and

said step of determining whether an authorization rule is satisfied includes evaluating whether said set of one or more entities meet said rule criteria.

31. An apparatus comprising:

a communication interface;

one or more storage devices; and

one or more processors in communication with said one or more storage devices and said communication interface, said one or more processors programmed to perform a method comprising the steps of:

receiving access information, and

testing whether access to a resource secured by an access system is authorized based on said access information, said access system includes an access management system and an identity management system wherein testing includes

identifying a policy domain;

searching for a policy;

determining authorization using a default rule for said policy domain if no policy is found; and

determining authorization using a specific rule for said policy if said policy is found.

32. An apparatus according toclaim 31, wherein:

said access information is capable of including an identification of said resource, identification information for one or more entities, one or more request methods, an address of a device, date information and time information.

33. An apparatus according toclaim 31, wherein:

said access information includes an identification of one or more entities;

said identification of one or more entities includes a user role; and

said step of testing includes determining whether a set of one or more entities satisfying said role can access said resource.

34. An apparatus according toclaim 31, wherein:

said access information includes an identification of one or more entities;

said identification of one or more entities includes a rule; and

said step of testing includes determining whether a set of one or more entities satisfying said rule can access said resource.

35. An apparatus according toclaim 31, wherein:

said access information includes timing information;

said timing information includes a time range; and

said step of testing includes determining whether a set of entities can access said resource within said time range.

36. An apparatus according toclaim 31, wherein:

said access information includes an access request method; and

said step of testing includes determining whether an entity can access said resource using said access request method.

37. An apparatus according toclaim 31, wherein:

said access information includes information for identifying a first user; and

said step of testing includes the steps of:

accessing an identity profile for said first user, and

comparing information in said identity profile to authorization criteria for said resource to determine whether said first user is authorized to access said resource.

Images